Portable electronic authorization system and method

ABSTRACT

In one embodiment, an apparatus comprises a user authenticator and a transponder. The transponder is permitted to emit a wireless signal representing information stored in the apparatus in response to a wireless interrogation signal after the user authenticator has authenticated the identity of the user. In another embodiment, an apparatus comprises, a memory, a user input, and a transponder. The memory stores at least first and second distinct codes. The user input permits a user to select any one of the at least first and second codes for transmission in response to a wireless interrogation signal. The transponder emits a wireless signal representing the selected one of the at least first and second codes in response to an interrogation signal. In yet another embodiment, a token that may be used to engage in a transaction at a point of sale comprises a substrate, a rewritable memory, and a reconfigurable display. The rewriteable memory is supported by the substrate and can be selectively configured to store information on the token that identifies an account that is to be used to engage in the transaction at the point of sale. The substrate and memory are configured and arranged such that the substrate can be selectively interfaced with an apparatus at the point of sale to permit the apparatus to read the contents of the memory. The reconfigurable display is also supported by the substrate and displays at least some of the information that is stored in the rewritable memory.

RELATED APPLICATIONS

This application is a Divisional of application Ser. No. 10/392,319,filed Mar. 19, 2003, and now pending, which claims the benefit of eachof (1) Application Ser. No. 60/366,098, filed Mar. 19, 2002, and (2)Application Ser. No. 60/379,964, filed May 13, 2002, and which is aContinuation-in-Part (CIP) of application Ser. No. 09/968,628, filedOct. 1, 2001, and now pending, which is a CIP of application Ser. No.09/675,438, filed Sep. 28, 2000, and now pending, which claims thebenefit of each of the following U.S. Provisional Patent Applications:(1) Application Ser. No. 60/156,356, filed Sep. 28, 1999; (2)Application Ser. No. 60/167,050, filed Nov. 23, 1999; (3) ApplicationSer. No. 60/184,425, filed Feb. 23, 2000; and (4) Application Ser. No.60/217,542, filed Jul. 12, 2000.

FIELD OF THE INVENTION

The present inventions are directed to novel systems and methods forengaging in transactions involving financial and/or non-financial media.

BACKGROUND OF THE INVENTION

People often times carry wallets with them when they engage in their dayto day activities. A typical wallet is made of leather or other suitablematerial, and is generally a foldable structure that readily fits into apocket or purse. A wallet typically includes a number of pockets,pouches, or the like for storing items such as a driver's license, asocial security card, identification cards, credit cards, debit cards,membership cards, commuter passes, access tools, business cards, cash,coupons, event tickets, transportation tickets, frequent customer cards(e.g., a frequent flier card), medical information cards, receipts,photographs, etc.

Wallets are frequently stolen, lost, or misplaced. When any of theseevents occurs, not only must the wallet itself be replaced, but all ofthe contents of the wallet must be replaced as well. As anyone who haslost a wallet can testify, replacing the contents of a wallet can becumbersome and expensive. In addition, if a wallet is stolen or if alost wallet falls into the wrong hands, the contents of the wallet maybe used to engage in unauthorized activities which financially detrimentthe wallet owner, as well as any banks, credit issuers, and/or otherinstitutions that issued financial media to the wallet owner.

While the wallet owner is generally able to “cancel” financial media insuch situations by contacting the respective financial media issuers,often times this is done too late, i.e., after one or more media havebeen exploited by the unauthorized user. In some cases, the wallet ownermay not recall all of the contents of the now stolen wallet, and so mayfail to report theft of one or more items. Further, in addition to anycash contained in a lost or stolen wallet, many media issued bynon-financial media issuers have a significant cash value, e.g.,transportation tickets, event tickets, commuter passes, and the like,and therefore represent an immediate (and often times unrecoverable)financial loss to the wallet owner. Moreover, the misappropriation ofmedia issued by non-financial media issuers that contain personalinformation, e.g., a drivers license, social security card,identification card, etc., present the opportunity for an unauthorizedpossessor of a wallet to engage in the practice known as “identitytheft,” whereby the possessor may assume the identity of the walletowner for various fraudulent purposes, e.g., using the assumed identityto obtain and exploit one or more new financial media.

Another device commonly used to engage in or authorize transactions is aradio frequency identification (RFID) tag. In an RFID system, an“interrogator” broadcasts a radio frequency (RF) signal which, ifreceived by an RFID tag, causes the RFID tag to return an RF signal tothe interrogator that includes information from the tag that may be usedto authorize a transaction. Situations in which such tags have beenemployed include, e.g., automated toll booths and gasoline servicestations. RFID tags may be made relatively small in size and thereforemay be kept virtually anywhere, e.g., on a keychain or clipped to anautomobile visor. Unfortunately, while this aspect of these devices makethem convenient, it also makes them highly susceptible to loss or theft.Whenever an RFID tag falls into the wrong hands, there is potential forit to be misused for a long period of time before it is discovered to bemissing and some action is take to disable the account associated withit so that it can no longer be used to authorize transactions.

SUMMARY OF THE INVENTION

According to one aspect of the present invention, an apparatus comprisesa user authenticator and a transponder. The transponder is permitted toemit a wireless signal representing information stored in the apparatusin response to a wireless interrogation signal after the userauthenticator has authenticated the identity of the user.

According to another aspect, an apparatus comprises, a memory, a userinput, and a transponder. The memory stores at least first and seconddistinct codes. The user input permits a user to select any one of theat least first and second codes for transmission in response to awireless interrogation signal. The transponder emits a wireless signalrepresenting the selected one of the at least first and second codes inresponse to an interrogation signal.

According to yet another aspect, a token that may be used to engage in atransaction at a point of sale comprises a substrate, a rewritablememory, and a reconfigurable display. The rewriteable memory issupported by the substrate and can be selectively configured to storeinformation on the token that identifies an account that is to be usedto engage in the transaction at the point of sale. The substrate andmemory are configured and arranged such that the substrate can beselectively interfaced with an apparatus at the point of sale to permitthe apparatus to read the contents of the memory. The reconfigurabledisplay is also supported by the substrate and displays at least some ofthe information that is stored in the rewritable memory.

According to another aspect, a method for using an apparatus comprisessteps of using the apparatus to authenticate an identity of a user ofthe apparatus, and after the apparatus has authenticated the identity ofthe user, enabling a transponder of the apparatus to emit a wirelesssignal representing information stored in the apparatus in response to awireless interrogation signal.

According to another aspect, a method for using an apparatus comprisessteps of manipulating a user input on the apparatus to select one of atleast first and second codes stored in memory, and permitting atransponder of the apparatus to emit a wireless signal representing theselected one of the at least first and second codes in response to awireless interrogation signal.

According to yet another aspect, a method for configuring a token to beused to engage in a transaction at a point of sale involves a step ofconfiguring a rewritable memory of the token to store information thatidentifies an account that may be used to engage in the transaction atthe point of sale. The memory is configured and arranged on the tokensuch that the token can be selectively interfaced with an apparatus atthe point of sale to permit the apparatus to read the contents of thememory. The method further involves a step of configuring a display onthe token to display at least some of the information that is stored inthe rewritable memory.

According to another aspect, a method is disclosed for enabling asoftware module on a computer operated by a user to access restrictedinformation on a server. With an electronic device distinct from thecomputer, an identity of the user is authenticated to determine that theuser is permitted to access the restricted information on the server. Inresponse to the electronic device authenticating the identity of theuser, the software module on the computer is permitted to access therestricted information on the server.

According to another aspect, a method is disclosed for altering settingson a computer to correspond to settings on an electronic device distinctfrom the computer. With the electronic device, an identity of a user isauthenticated to determine that the user is authorized to use theelectronic device. In response to authenticating the identity of theuser, the settings on the computer are altered to correspond to settingson the electronic device.

According to another aspect, a system for enabling a software module ona computer operated by a user to access restricted information on aserver includes an electronic device which includes a user-authenticatorto authenticate an identity of the user to determine that the user ispermitted to access the restricted information on the server. The systemfurther comprises means for, in response to the electronic deviceauthenticating the identity of the user operating the computer, enablingthe software module on the computer to access the restricted informationon the server.

According to yet another aspect, a system for altering settings on acomputer to correspond to settings on an electronic device distinct fromthe computer comprises a user authenticator included in the electronicdevice to authenticate an identity of a user to determine that the useris authorized to use the electronic device. The system further comprisesmeans for, in response to authenticating the identity of the user,altering the settings on the computer to correspond to settings on theelectronic device.

According to another aspect, an apparatus includes a housing; a userauthenticator, supported by the housing, that authenticates an identityof a user; at least one memory, supported by the housing, that storestransaction information for at least first and second media; and atleast one output, supported by the housing, that releases at least aportion of the transaction information to a point-of-sale (POS) terminalafter the user authenticator has authenticated the identity of the user.

According to another aspect, a method involves steps of: (a) storingtransaction information for at least first and second media in a memoryof a device (b) using the device to authenticate an identity of a user;and (c) after authenticating the identity of the user with the device,transferring at least a portion of the transaction information from thedevice to a point-of-sale (POS) terminal.

According to another aspect, an apparatus includes: a housing; at leastone memory, supported by the housing, that stores transactioninformation for at least one media; a user authenticator, supported bythe housing, that authenticates an identity of a user of the apparatus;and at least one output, supported by the housing, that, after the userauthenticator has authenticated the identity of the user, releases anembedded identification code of the apparatus from the housing thatenables a device receiving the embedded identification ID code toauthenticate the identity of the apparatus.

According to another aspect, a method involves steps of: storingtransaction information for at least one media in a memory of a firstdevice; using the first device to authenticate an identity of a user;and after authenticating the identity of the user with the first device,releasing an embedded identification code of the apparatus from thehousing that enables a second device receiving the embeddedidentification code to authenticate the identity of the first device.

According to another aspect, an apparatus includes: at least one memorythat stores transaction information for at least first and second media;at least one input that enables a user to select one of the at leastfirst and second media; a display that provides a visual indication tothe user regarding which of the at least first and second media has beenselected with the at least one input; and at least one output thatselectively releases at least a portion of the transaction informationto a point-of-sale (POS) terminal.

According to another aspect, a method involves steps of: storingtransaction information for at least first and second media in a memoryof a device; receiving as input a user's selection of one of the atleast first and second media; displaying a visual indication to the userregarding which of the at least first and second media has beenselected; and transferring at least a portion of the transactioninformation from the device to a point-of-sale (POS) terminal.

According to another aspect, an apparatus includes: at least one memorythat stores transaction information for at least one financial media andat least one non-financial media; and at least one output thatselectively releases at least a portion of the transaction informationto a point-of-sale (POS) terminal.

According to another aspect, a method involves steps of: storingtransaction information for at least one financial media and at leastone non-financial media in a memory of a device; and transferring atleast a portion of the transaction information from the device to apoint-of-sale (POS) terminal.

According to another aspect, a system includes: a housing; at least onememory, supported by the housing, that stores transaction informationfor at least one media; a device releasably attached to the housing; andconfiguring means, supported by the housing, for selectively configuringthe device to hold the transaction information so that the device may beused to engage in a transaction involving the at least one media.

According to another aspect, a method involves steps of: (a) storingtransaction information for at least one media in a memory of a firstdevice, the first device having a second device releasably attachedthereto; (b) while the second device is attached to the first device,configuring the second device to hold the transaction information forthe at least one media based on the contents of the memory; (c)detaching the second device from the first device; and (d) using thesecond device to engage in a transaction involving the at least onemedia.

According to another aspect, a system includes: a first device includinga user authenticator that authenticates an identity of a user; and asecond device releasably attached to the first device, wherein thesecond device holds transaction information for at least one media sothat the second device may be used to engage in a transaction involvingthe at least one media, and wherein the second device is detached fromthe first device after the user authenticator has authenticated theidentity of the user.

According to another aspect, a method involves steps of: with a firstdevice, authenticating an identity of a user; and after authenticatingthe identity of a user with the first device, detaching a second devicefrom the first device, the second device holding transaction informationfor at least one media so that the second device may be used to engagein a transaction involving the at least one media.

According to another aspect, a system includes: a first device; a seconddevice that has the first device releasably attached thereto, the seconddevice including means for selectively configuring the first device tohold transaction information for a first media but not for a secondmedia so that the first device may be used to engage in a transactioninvolving the first media but not the second media, and the seconddevice further including means for selectively configuring the firstdevice to hold transaction information for the second media but not forthe first media so that the first device may be used to engage in atransaction involving the second media but not the first media.

According to another aspect, a method involves steps of: selectivelyconfiguring a device to hold transaction information for a first mediabut not for a second media so that the device may be used to engage in atransaction involving the first media but not the second media; andselectively configuring the device to hold transaction information forthe second media but not the first media so that the device may be usedto engage in a transaction involving the second media but not the firstmedia.

According to another aspect, a system includes: at least one memory thatstores first transaction information for a first media; at least oneoutput that selectively releases at least a portion of the firsttransaction information to a point-of-sale (POS) terminal; and means forenabling a person to whom the first media is issued to selectively addsecond transaction information for a second media to the memory.

According to another aspect, a method involves steps of: storing firsttransaction information for a first media in a memory of a device;releasing at least a portion of the first transaction information to apoint-of-sale (POS) terminal; and in response to a request by the personto whom the first transaction information is issued, adding secondtransaction information for a second media to the memory.

According to another aspect, a system includes: at least one memory thatstores first transaction information for a first media and secondtransaction information for a second media; at least one output thatselectively releases at least a portion of the first transactioninformation to a point-of-sale (POS) terminal; and means for enabling aperson to whom the first media is issued to selectively remove at leasta portion of the second transaction information from the memory.

According to another aspect, a method involves steps of: storing firsttransaction information for a first media and second transactioninformation for a second media in a memory of a device; releasing atleast a portion of the first transaction information to a point-of-sale(POS) terminal; and, in response to a request by the person to whom thesecond media is issued, removing at least a portion of the secondtransaction information from the memory.

According to another aspect, a system includes: at least one memory thatstores transaction information for at least one media; at least oneoutput that selectively releases at least a portion of the transactioninformation to a point-of-sale (POS) terminal; and means for enabling atleast one functional characteristic of the at least one media to bealtered by altering the contents of the least one memory.

According to another aspect, a method involves: storing transactioninformation for at least one media in a memory of a device; releasing atleast a portion of the transaction information to a point-of-sale (POS)terminal; and altering at least one functional characteristic of the atleast one media by altering the contents of the least one memory.

According to another aspect, an apparatus includes: a housing; a userauthenticator, supported by the housing, that authenticates an identityof a user; at least one memory that, supported by the housing, storesfirst transaction information for a first media and second transactioninformation for a second media; and at least one output, supported bythe housing, that releases the first transaction information only afterthe user authenticator has authenticated the identity of the user, andthat releases the second information without requiring the userauthenticator to have authenticated the identity of the user.

According to another aspect, a method involves steps of: storing firsttransaction information for a first media and second transactioninformation for a second media in at least one memory of a device; usingthe device to authenticate an identity of a user; releasing the firsttransaction information only after the identity of the user has beenauthenticated; and releasing the second transaction information withoutrequiring the identity of the user to be authenticated.

According to another aspect, a system includes: a first device; and asecond device having the first device releasably attached thereto suchthat, when the first device is attached to the second device, the seconddevice causes the first device to generate a machine-readable code foronly a predetermined, finite period of time after the first device isdetached from the second device.

According to another aspect, a method involves a step of generating amachine-readable code on a device for only a predetermined, finiteperiod of time.

According to another aspect, an apparatus includes: a portablesubstrate; a power supply supported by the substrate; and at least onecontroller supported by the substrate and powered by the power supply,the at least one controller being configured to generate a simulatedmagnetic stripe on the substrate.

According to another aspect, an method involves a step of generating asimulated magnetic stripe on a portable device.

According to another aspect, a system includes: at least one memory thatstores transaction information for at least one media; a userauthenticator that authenticates an identity of the user; and a displaythat provides a visual indication to the user regarding the at least onemedia, the visual indication being displayed for only a predetermined,finite period of time after the user authenticator has authenticated theidentity of the user.

According to another aspect, a method involves steps of: authenticatingan identity of a user; and displaying a visual indication to the userregarding the at least one media for only a predetermined, finite periodof time after authenticating the identity of the user.

According to another aspect, a system includes a portable device thatcan be used to engage in point-of-sale (POS) transactions; and a deviceremote from the portable device, that can disable an ability of theportable device to engage in POS transactions.

According to another aspect, a method involves steps of: providing aportable device that can be used to engage in point-of-saletransactions; and at a location remote from the portable device,disabling an ability of the portable device to engage in POStransactions.

According to another aspect, a method involves steps of: storingtransaction authorization information for at least two media in a firstmemory of a first device; and storing the transaction authorizationinformation for the at least two media in a second memory, which isdisposed at a location remote from the first device.

According to another aspect, a system includes: a first device; and asecond device having the first device releasably attached thereto suchthat, when the first device is attached to the second device, the seconddevice can cause the first device to generate a machine-readable codeafter the first device is detached from the second device, the seconddevice including at least one controller configured so as to be capableof causing the first device to generate the machine-readable code onlyfor a finite, predetermined period of time.

According to another aspect, a method involves a step of configuring afirst device such that the first device is capable, for only apredetermined, finite period of time, of generating a machine-readablecode on a second device.

According to another aspect, a method involves steps of: receivinginformation at a first device that has been transmitted over anelectronic communication link; and after receiving the information atthe first device, using a media at the first device to access a quantityof credit or cash reserves that could not be accessed prior to the firstdevice receiving the information.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram illustrating an example of a network system inwhich a portable electronic authorization device (also referred toherein as a “Pocket Vault”) may be employed according to one embodimentof the invention;

FIG. 2 is a block diagram showing an illustrative embodiment of thePocket Vault shown in FIG. 1;

FIG. 3 is a block diagram showing an illustrative embodiment of one ofthe interface stations shown in FIG. 1;

FIG. 4 is a block diagram showing an illustrative embodiment of thenetwork server(s) shown in FIG. 1;

FIG. 5 is a diagram showing an example of how the memory of the PocketVault shown in FIG. 2 may be configured in accordance with oneembodiment of the invention;

FIG. 6 is a block diagram showing an illustrative embodiment of thetoken (e.g., a card) associated with the Pocket Vault shown in FIG. 2;

FIG. 7 is a flow diagram illustrating a primary routine that may beexecuted by the controller of the Pocket Vault shown in FIG. 2;

FIG. 8 is a flow diagram illustrating an example implementation of thePROCESS POCKET VAULT VALIDATION routine shown in FIG. 7;

FIG. 9 is a flow diagram illustrating an example implementation of theUNAUTHORIZED HOLDER routine shown in FIG. 7;

FIG. 10 is a flow diagram illustrating an example implementation of theAUTHORIZED HOLDER routine shown in FIG. 7;

FIG. 11 is a flow diagram illustrating an example implementation of thePROCESS CARD TRANSACTION routine shown in FIG. 10;

FIG. 12 is a flow diagram illustrating an example implementation of theVERIFY CARD RETURN routine shown in FIG. 7;

FIG. 13 is a flow diagram illustrating an example implementation of aprimary routine that may be executed by the controller of the pocketvault interface unit shown in FIG. 3;

FIG. 14 is a flow diagram illustrating an example implementation of aprimary routine that may be executed by the controller of the interfacestation computer shown in FIG. 3;

FIG. 15 is a flow diagram illustrating an example implementation of thePROCESS REQUEST TO VALIDATE POCKET VAULT routine shown in FIG. 14;

FIG. 16 is a flow diagram illustrating an example implementation of thePROCESS REQUEST TO UPDATE INFO ON POCKET VAULT routine shown in FIG. 14;

FIG. 17 is a flow diagram illustrating an example implementation of thePROCESS REQUEST TO AUTHORIZE TRANSACTION routine in FIG. 14;

FIG. 18 is a flow diagram illustrating an example implementation of thePROCESS UNSUCCESSFUL OPERATOR AUTHENTICATION routine shown in FIG. 14;

FIG. 19 is a flow diagram illustrating an example implementation of aprimary routine that may be executed by the controller(s) of the networkserver(s) shown in FIG. 4;

FIG. 20 is a flow diagram illustrating an example implementation of thePROCESS REQUEST TO REGISTER NEW POCKET VAULT HOLDER routine shown inFIG. 19;

FIG. 21 is a flow diagram illustrating an example implementation of thePROCESS REQUEST BY MEDIA ISSUER/ADVERTISER TO UPDATE NETWORK SERVERroutine shown in FIG. 19;

FIG. 22 is a flow diagram illustrating an example implementation of thePROCESS REQUEST TO UPDATE INFO ON POCKET VAULT routine shown in FIG. 19;

FIG. 23 is a flow diagram illustrating an example implementation of thePROCESS REQUEST FROM HOLDER TO LOAD NEW FILE ONTO NETWORK SERVER routineshown in FIG. 19;

FIG. 24 is a flow diagram illustrating an example implementation of thePROCESS REQUEST TO AUTHORIZE TRANSACTION routine shown in FIG. 19;

FIG. 25 is a flow diagram illustrating an example implementation of theAUTHORIZED POCKET VAULT USE? routine shown in each of FIGS. 20, 22, and24; and

FIGS. 26 a-26 p are illustrations of the portable electronicauthorization device, as well as the token (e.g., a card) associatedtherewith, as these items may appear when in use;

FIG. 27 is a block diagram illustrating several additional features thatmay optionally be added to a network system such as that shown in FIG. 1so as to enhance the functionality of the network;

FIG. 28 is a block diagram illustrating example components that mayoptionally be added to software executing on a controller of the PocketVault, such as the software described in connection with FIGS. 7-12, soas to enhance the functionality of the Pocket Vault in a networkenvironment;

FIG. 29 is a data flow diagram illustrating an example of how data mayflow between the Pocket Vault and a user interface of an interfacestation computer to which the Pocket Vault is interfaced/docked;

FIG. 30 is a flow diagram illustrating an example of a primary routinethat may be executed by a website on the network server(s) shown in FIG.27, which website may be accessed, for example, by a browser executingon the interface station computer shown in FIG. 27;

FIG. 31 is a flow diagram illustrating an example implementation of theINSTALL DRIVER(S) routine shown in FIG. 30;

FIG. 32 is a flow diagram illustrating an example implementation of theNEW POCKET VAULT HOLDER routine shown in FIG. 30;

FIG. 33 is a flow diagram illustrating an example implementation of theEXISTING POCKET VAULT HOLDER routine shown in FIG. 30;

FIG. 34 is a flow diagram illustrating an example implementation of theCARD LOADING routine shown in FIG. 33;

FIG. 35 is a flow diagram illustrating an example implementation of theSYNCHRONIZATION routine shown in FIG. 33;

FIG. 36 is a flow diagram illustrating an example implementation of theRECOVERY routine shown in FIG. 33;

FIG. 37 is a flow diagram illustrating an example implementation of theIDENTITY PORTING SELECTION routine shown in FIG. 33;

FIG. 38 is a flow diagram illustrating an example implementation of theBACKUP routine shown in FIG. 33;

FIG. 39 is a flow diagram illustrating an example implementation of theSET PREFERENCES routine shown in FIG. 33;

FIG. 40 is a flow diagram illustrating an example implementation of theRFID TAG LOADING routine shown in FIG. 33;

FIG. 41 is a block diagram showing a prior art RFID tag; and

FIG. 42 is a block diagram showing an example embodiment of an RFIDsystem in which a Pocket Vault such as that shown in FIG. 2 is used toselectively provide data to an RFID tag.

DETAILED DESCRIPTION

Disclosed herein is a new method and system for producing, distributing,storing, and using the typical contents of a person's wallet, as well asthe multiple, separate transaction authorization devices, e.g., RFIDtags, owned by the person. Essentially, the system may enableindividuals to replace nearly all of the paper and plastic contents oftheir wallets and all of their other transaction authorizationimplements with a single, hand-held portable electronic authorizationdevice. The system may include the portable electronic authorizationdevices, removable morphing tokens or cards associated with suchdevices, associated computer peripherals, software and certain networkcapabilities. As a whole, the system may eliminate virtually all of thedistribution costs and security concerns associated with paper andplastic media.

Because the device may incorporate many different media that arecommonly stored in a person's wallet or elsewhere, possibly includingboth financial and non-financial media, it is much more than a simplepoint-of-sale (POS) device. Therefore, the device may be moreappropriately referred to as a multi-purpose, “point-of-transaction”device. In any situation of presentment, whether for purposes such asbuilding security, demonstrating membership or using credit or debitcapacity, the system is designed to perform tasks more safely, securelyand with greater ease than is possible with prior art systems. Further,while certain computer technologies are involved, the preferredembodiment is such that some people may barely recognize it as acomputer, seeing instead a more comfortable to carry, easier-to-use,safer and more securely packaged means of transporting typical walletcontents and other items.

The system's business model may comprise an independent organizationacting as a media-neutral, multi-service provider of other issuers'various financial and non-financial media, that also may enableindividuals and retailers to add or create their own secure (and whereappropriate, non-secure media) using a device with a self-contained setof authentication security features, which may even be password-free.This device may operate over existing financial transaction networks,while also having links to a highly secure network system for certainfunctionality. The self-contained authentication functionality of thedevice itself ensures privacy, while providing sufficientaccountability/traceability to satisfy law enforcement concerns.

A network system 100 configured according to one illustrative embodimentof the invention is shown in FIG. 1. As shown, the network system 100may include a portable electronic authorization device 102(alternatively referred to herein as a “Pocket Vault”) and an associatedtoken 102 a (alternatively referred to herein as a “Chameleon Card”).Each person desiring to use the network system 100 may possess his orher own the Pocket Vault 102 and associated token 102 a. Someindividuals may choose to own multiple Pocket Vaults or Chameleon Cards.The system and software therefore may accommodate the use of multiplePocket Vaults and multiple Chameleon Cards by one individual.

Referring to FIG. 1, in addition to the Pocket Vault 102, the networksystem 100 may include one or more network servers 114 to which variousother network components are coupled. Although multiple, load-sharingnetwork servers 114 may be employed in a typical application, thenetwork server(s) 114 will hereinafter, for convenience, occasionally bereferred to as a single network server 114. Coupled to the networkserver 114 are: several different types of interface stations 104 (i.e.,a validation interface station 104 a, a personal interface station 104b, and a commercial interface station 104 c), one or more commercialcard readers 106, one or more commercial bar code readers 107, one ormore RFID interrogators 116, and several computers 108, 110, and 112operated by one or more advertisers, non-financial media issuers, andfinancial media issuers, respectively. The structure and functionalityof each of the components of the network system 100 in accordance withillustrative embodiments of the invention are described below.

As shown in FIG. 1, the network server 114 may form the hub of thenetwork system 100, with each of the interface stations 104, thecommercial card readers 106, the commercial bar code readers 107, theRFID interrogators 116, and the computers 108, 110, and 112 beingcoupled thereto. As discussed in more detail below, the network server114 may therefore serve as: (1) a repository of information for thenetwork, (2) the entity that controls access to the stored informationby the other network devices, and (3) a service provider for financialand non-financial media issuers, advertisers, as well as Pocket Vaultholders.

Any of a number of techniques may be used to interconnect the variouselements of the network system 100, and the invention is not limited toany particular networking technique. In one illustrative embodiment, forexample, the network server 114 is coupled to the other elements in thenetwork system 100 via the Internet or similar packet-switchedcommunication system. Alternatively, dedicated or selectivelyestablished (e.g., using a dial-up modem) communication channels or timeslots thereof may be employed between the respective devices. Theconnections between most of the network devices may be either hardwired(including fiber optic connections) or wireless (e.g., infrared (IR) orradio frequency (RF) links).

As shown in FIG. 1, the Pocket Vault 102 may be interfaced with any ofthe interface stations 104 a-c so as to permit information to beuploaded from the network server 114 to the Pocket Vault 102, or to bedownloaded from the Pocket Vault 102 to the network server 114. In oneillustrative embodiment, each of the interface stations 104 includes adocking mechanism that permits a Pocket Vault 102 to be physically, aswell as electronically, interfaced therewith. In such an embodiment,once the Pocket Vault 102 is physically “docked” with an interfacestation 104, the Pocket Vault 102 may communicate with the interfacestation 104 using any now known or later discovered technique. Forexample, physical contact may be made between respective electrodes orplugs, a line of sight (e.g., infrared) wireless link may beestablished, or any other interfacing technique may be employed.

The Pocket Vault 102 may additionally or alternatively be configuredsuch that it need not be physically docked with or even in the same roomas the interface station 104, as a wireless network such as Bluetoothmay be employed to permit communication between devices on the networksystem 100. In fact, in some embodiments wherein appropriate networkingcapabilities are provided, each Pocket Vault 102 may communicatedirectly with the network server 114, without the interface stations 104a-c facilitating communication therebetween. In addition, in someembodiments, Pocket Vaults 102 may communicate directly with oneanother. In such embodiments, such inter-device communication may permitvalue to be exchanged directly between Pocket Vaults 102.

The personal docking station 104 b may allow setting or changing of userpreferences, recording of miscellaneous information by the Pocket Vaultholder, replenishment or deletion of information regarding particularmedia, and may also permit additional media (e.g., a library card) to beadded to the device. The Pocket Vault holder may, for example, directlyadd non-value-based media (e.g., a membership number for the localHistorical Society) and notes to the Pocket Vault 102. In oneembodiment, value-based and certain identification media (a driver'slicense, passport, building security ID, etc.) may be added orreinstated only through a secure connection to the network server 114(as described below), in response to an update request from the PocketVault holder. In addition, the personal interface station may provide amechanism to download transaction activity involving the Pocket Vault102 into an individual's home computer. There are many users of homefinance software. These applications can be relatively “data hungry,”and commonly require users to download checking and debit card data fromtheir banks (or key it in manually) and to key in the details of creditcard and cash purchases. All of this keying and internet filedownloading from third parties may be replaced by a simple dockingprocedure, i.e., when the Pocket Vault 102 is interfaced with thepersonal docking station 102 b.

As shown in FIG. 1, and as described below in more detail, the PocketVault 102 may be equipped to generate the token 102 a such that thetoken 102 a has transactional information regarding a media (e.g., anactual or simulated magnetic stripe or a bar code) produced thereon. Insuch an embodiment, after the token 102 a has been generated, the token102 a may be used by the Pocket Vault holder to engage in a transactionwherein an entity swipes the magnetic stripe portion of the token 102 athrough a card reader 106 or scans the bar code on the token 102 a usinga bar code reader 107. Additionally or alternatively, the token 102 amay include a suitable Smartcard interface so that it may be used withSmartcard compatible devices.

Because the token 102 a may be caused to take on a different personalityeach time it is released from the Pocket Vault 102, a plurality of mediamay be stored electronically in memory of the Pocket Vault 102, and thetoken 102 a may, upon request, be generated to take on the personalityselected by the Pocket Vault holder. The respective media stored on thePocket Vault 102 may be issued by different and unrelated media issuers.As used herein, two media issuers are “unrelated” if there exists nolegal relationship between them.

The token 102 a may also have display capacity. Such a display may, forexample, indicate the media personality the token 102 a has taken on. Inaddition, for security purposes, the account number of the media, andperhaps other information, for example, the three digit security codetypically found on credit cards, may be shown on the display of thetoken 102 a after it is ejected from the Pocket Vault. The display ofthis information may help prevent fraudulent uses of the token 102 abecause the entity accepting it would be able to verify that thedisplayed information matched that read by the device used to read thetoken 102 a, e.g., a magnetic card reader.

In some embodiments, value may be exchanged between two Pocket Vaults102 when one the Pocket Vault 102 generates a token 102 a having avalue-based or value-linked media stored thereon, and the token 102 a sogenerated is passed to the other the Pocket Vault 102, which then maythen access the media and extract value therefrom or add value thereto.As mentioned above, this sort of value exchange may also be accomplisheddirectly between two Pocket Vaults 102 over a wireless network, such asBluetooth.

As discussed in more detail below, in addition to or in lieu of thetoken 102 a, the Pocket Vault 102 may also generate a bar code for aselected media on the Pocket Vault's display (not shown in FIG. 1), andthe bar code reader 107 may be used to scan the displayed bar code toprocess a transaction. Further, a transaction may be processed via acommercial interface station 104 c either by use of a docking terminalor via a wireless network scheme such a Bluetooth. In one embodiment,some commercial interface stations 104 c may comprise an interfacestation linked to a standard commercial card reader 106 or commercialbar code reader 107, with the card reader 106 or bar code reader 107being modified to accept input from the station.

Moreover, as is also discussed in more detail below, the Pocket Vault102 may be configured or programmed to function as an RFID tag that canbe used only by an authorized user of the Pocket Vault 102. For example,in response to an interrogation signal from the RFID interrogator 116(e.g., an interrogator of an automated toll booth), the Pocket Vault 102(if authorized) can return an appropriate RF signal to authorize paymentof the required fee for the toll. In some embodiments, the RFIDfunctionality of the Pocket Vault 102 can be altered by the user so thatuser is permitted to select the personality of the RFID tag that isembodied by the device. The user may, for example, first use the PocketVault 102 as an RFID tag to authorize payment of a toll, and later usethe same Pocket Vault 102 as an RFID tag to authorize payment at aservice station.

To permit the Pocket Vault holder to select from among the various mediastored in memory of the Pocket Vault 102, the Pocket Vault 102 maycomprise a display (not shown in FIG. 1). By employing either a displayhaving a user-manipulable touch screen or a separate user input device(not shown in FIG. 1), a Pocket Vault holder can effectively flipthrough the contents of the Pocket Vault 102 to locate and select adesired media (e.g., a credit card, driver's license, library card,frequent flier card, a particular RFID personality, etc.) much like aperson can flip through the contents of his or her wallet to do thesame.

The use of a display on the Pocket Vault 102 also creates an opportunityfor media providers to go from a static presentation of their brand(logo, etc.) to having the option of dynamic branding and messaging. Inaddition, using the display, the presentment of active marketing at the“moment of buying decision” is possible. Specifically, the logo andmessage displayed to the Pocket Vault holder may incorporate motion,moving images and messages. To conserve power, moving images may bepresented only at certain times, e.g., in response to internal orexternal events or communications.

In the embodiment of FIG. 1, the computers 108, 1 10, and 112, togetherwith the network server 114, may represent a secure infrastructure ofserver databases capable of storing information for purposes ofdelivering personalized services to holders of Pocket Vaults 102. Thenetwork server 1 14 may also track activity of Pocket Vault holders andcompile marketing information based thereupon that may prove useful tomedia issuers and/or advertisers. The Pocket Vault holder may havecontrol over the ability of the network server 114 to track activity.The information maintained on the network system 100 may originate withthe holders of Pocket Vaults 102 and/or may originate with the otherentities having access to the network system 100 (e.g., advertisers andmedia issuers).

As discussed below in more detail, in some embodiments of the invention,certain uses of the Pocket Vault 102, as well as each of the interfacestations 104 a-c, may be permitted only by pre-authorized individuals.To this end, a suitable user authentication technique may be employed inconnection with each attempted use of any of these devices. One suitableuser authentication technique that may be employed is the analysis of abio-metric feature of the individual attempting use of the device (e.g.,a fingerprint scan, retina scan, a speech pattern analysis, keystrokerhythm, etc.), and validating the identity of the individual on thatbasis. Alternatively or additionally, a personal identification (PIN)code may be entered by the holder to verify the holder's identity. Inone illustrative embodiment, authentication information used to validatethe holder's identity (e.g., the stored fingerprint and/or PIN code) isstored within the to-be-accessed device, and the validation is performedin its entirety on-board the same device, such that the user-specificauthentication information never leaves the device in which it isstored. Thus, using this technique, the likelihood that such informationwill be intercepted by unauthorized third parties may be reducedsignificantly.

It should be appreciated that, for some applications, it may bedesirable to receive and store authentication information (e.g.,fingerprint data) of some or all Pocket Vault holders in the networkserver 114. Accordingly, in some embodiments, such authenticationinformation may be maintained by the network server 114. Thisauthentication information may be transmitted to the network server 114,for example, when Pocket Vaults 102 are first validated.

As discussed below, great care may be taken to ensure that onlyauthorized individuals are permitted to validate Pocket Vaults 102 byhaving their authentication information (e.g., their fingerprint data orPIN codes) stored therein. Therefore, after it has been confirmed thatthe holder's authentication information has been properly stored in thePocket Vault 102, a trust relationship may be established between thenetwork server 114 and the Pocket Vault 102. This relationship mayinvolve, for example, the registration of a unique encrypted chip ID ofthe Pocket Vault 102 with the network server 114 through a secureInternet connection, the distribution of a digital certificate (e.g., aPKI certificate) to the Pocket Vault 102, and the grant of authority tothe Pocket Vault 102 to permanently store the Pocket Vault holder'sauthentication information.

A similar level of care may also be taken to ensure that only authorizedindividuals are permitted to validate interface stations 104 a-c byhaving their authentication information (e.g., their fingerprint data orPIN codes) stored therein. Therefore, as with the Pocket Vaults 102,after it has been confirmed that each interface station's authorizationinformation has been properly stored in the interface station 104, atrust relationship may be set up between the network server 114 and theinterface station 104. This relationship may also involve, for example,the registration of a unique encrypted chip ID of the interface station104 with the network server 114 through a secure Internet connection,the distribution of a digital certificate to the interface station 104,and the grant authority to the interface station 104 to permanentlystore the interface station operator's authentication information.While, in some embodiments, the Pocket Vault 102 and/or the interfacestations 104 are each permitted to store authentication information foronly one individual, it should be appreciated that, in alternativeembodiments, the Pocket Vault 102 and/or the interface stations 104 mayeach store authentication information for more than one individual,thereby permitting multiple people to use them.

Because of the creation of the above-described trust relationships, eachPocket Vault 102 and each interface station 104 may communicate securelywith the network server 114, as well as with any other networked devicesor sites that require a high level of trust. Also, the existence ofthese trust relationships enable individual Pocket Vaults 102 to acceptother services provided by the network servers 114, such as the backupand recovery of information stored within the Pocket Vaults 102. Thatis, the network servers 114 can serve as a repository for all of theinformation stored on every validated Pocket Vault 102 (except theholder's authentication information—which, in some embodiments, isstored only in the Pocket Vault 102). To ensure that the network server114 stores an accurate version of the contents of each Pocket Vault 102,information may, for example, be uploaded from the network server 114 toa Pocket Vault 102 or downloaded from the Pocket Vault 102 to thenetwork server 114 each time the Pocket Vault 102 is interfaced with anyof the interface stations 104 a-c. Therefore, if a Pocket Vault 102 islost or stolen, the Pocket Vault holder need only obtain a new PocketVault 102, and the entire contents of the lost Pocket Vault 102 can beuploaded thereto, in a single communication, in a matter of seconds. Inaddition, in the event that a validated Pocket Vault 102 is lost orstolen, the network server 114 may void the chip ID of that Pocket Vault102, so that the Pocket Vault 102 cannot be used by a third party, evenif the holder validation security (e.g., the bio-metric scanning or PINentry requirement) is somehow breached. Voiding the chip ID of thePocket Vault 102 may, for example, prevent the Pocket Vault 102 fromassigning any media information to the associated Chameleon Card.

In addition to serving as a repository for Pocket Vault information, thenetwork server 114 may also serve as a repository for informationregarding media issuers or advertisers, and may further provide variousservices to these entities. For example, the network server 114 mayfacilitate transactions involving media issued by media issuers, and maypermit new media to be issued or lost media to be replaced at a fractionof the cost of generating new physical tokens or replacing lost ones.Additionally, the network server 114 may serve as a conduit foradvertisers to target particular classes of Pocket Vault holders, andchannel information to them. The network server 114 may also function asan advocate for Pocket Vault holders, advertisers, and/or media issuerswhen it utilizes its portfolio of Pocket Vault holders, media issuers,and/or advertisers to secure privileges. Examples of such advocacyinclude the ability to secure buying power for Pocket Vault holders as agroup or to provide media issuers and advertisers with a highlyefficient tool for generating awareness for affinities or causes thatfit appropriate holder markets. In sum, the services provided by thenetwork server 114 enable Pocket Vault holders to combine and managetheir media data using a single, hand-held device, and enablesadvertisers and media issuers to understand more about, and more readilyreach more of, their customers than ever before.

FIG. 2 shows an example embodiment of the Pocket Vault 102 of FIG. 1.The Pocket Vault 102 may employ components similar to those used inmodern personal digital assistants (PDAs) and palm top computers.Examples of such products include PDAs such as the “Palm Pilot” fromPalm, Inc. (www.palm.com), and the “Casiopedia” from Casio, Inc. ofDover, N.J. (www.casio.com). As shown, the Pocket Vault 102 may includea controller 202, as well as a transceiver 204, a user input device 206,a docking interface 208, a read/write memory 210, a write-once memory212, a power manager 214, an indicator 215, a display 216, a token port218, and a fingerprint scanner 220, all coupled to the controller 202.In addition, the Pocket Vault 102 may include a hard-wired memory (notshown) to store device serial numbers and key operating system andencryption software components.

Actual views of an example embodiment of the Pocket Vault 102, as wellas the token 102 a associated therewith, are shown in FIGS. 26A-26P. Theviews of FIGS. 26A-P, including the items displayed on the display 216,are discussed in more detail below in connection with the flow diagramsof FIGS. 7-12. At this point, however, with reference to FIGS. 26A-L and26O, it may be noted that the Pocket Vault 102 may comprise a housing2602 in which the components shown in FIG. 2 may be disposed. Asillustrated in FIGS. 26E and 26F, the housing 2602 may be approximatelyseventy millimeters wide, approximately one hundred millimeters long,and approximately fifteen millimeters deep. Thus, in the embodimentshown, the housing 2602 has an internal volume of less than 105 cubiccentimeters.

Of course, in alternative embodiments, the housing 2602 may be slightlylarger or smaller than that shown. For example, in differentembodiments, the housing 2602 may have an internal volume of less thanfive hundred cubic centimeters, or less than four hundred cubiccentimeters, or less than three hundred cubic centimeters, or less thantwo hundred cubic centimeters, or less than one hundred cubiccentimeters, or less than any other volume value that falls between onehundred and five hundred centimeters. In one embodiment, the housing2602 is sized so that the Pocket Vault 102 may readily fit into the rearpocket of a pair of pants. One feature of the illustrative embodiment ofthe Pocket Vault 102 shown in FIG. 2 which may permit its size to bereduced below that of a standard personal computer is the fact that theembodiment shown lacks a disk drive (either hard or floppy) or anysimilar memory storage device (e.g., a tape drive) that consumes asignificant volume within the housing 2602. It should be appreciated, ofcourse, that alternative embodiments may include such memory devices,and that the invention is not necessarily limited to embodiments thatexclude them. In addition to the lack of a disk drive or the like, insome embodiments, the power manager 214 may reduce the power consumptionof the active components of the Pocket Vault 102 well below that of astandard personal computer, thereby enabling a very small and lightweight battery to be employed, as opposed to the relatively large andheavy batteries typically employed in personal computers.

The housing 2602 may provide a water-resistant or waterproof environmentfor the components housed thereby. The housing 2602 may further besealed in a manner suitable to prevent tampering, for example, using aplastic potting compound, and may even be designed such that any attemptto invade the housing 2602 will damage the Pocket Vault 102 such that itmay no longer be used. The housing materials of Pocket Vaults 102 may bebrightly colored, in addition to traditional black or brown, therebyhelping their holders to make a fashion statement and/or permitting themto be readily spotted if misplaced. Deluxe versions may be clad inleather, Kevlar™, Gortex™, aluminum and/or stainless steel. In someembodiments, the housing 2602 may even be woven into garments.

Referring again to FIG. 2, any of a number of devices may be used toimplement the controller 202, and the invention is not limited to anyparticular type of controller. In one illustrative embodiment, forexample, the controller 202 comprises a low-power multiprocessor ormicrocomputer having an on-board SRAM and/or flash memory and a realtime clock calendar. One example of a suitable controller is the“Motorola Dragonball” Processor from Motorola, Inc. (www.motorola.com).The controller 202 may include a software-programmable andencryption-protected or hard-wired unique chip ID. In one embodiment,this chip ID is released from the Pocket Vault 102 only after thefingerprint scanner 220 (discussed below) has successfully authenticatedthe identity of the holder. A signal processor for Bluetooth or anotherwireless connection may also be employed within or along with thecontroller 202.

The transceiver 204 may include one or more antennas and may be any typeof transceiver (or separate transmitter and receiver) capable ofcommunicating with other devices in the network 100 to enable thefunctionality described herein. For example, either an RF or an IRtransceiver may be employed. Some embodiments may, in fact, include bothan IR and an RF transceiver to be used in different applications. Forexample, an IR transceiver may be employed to interface the Pocket Vaultwith a “docking station” type interface unit, and a separate RFtransceiver may be employed to communicate over a wireless network suchas Bluetooth. Multiple transceivers (or transmitter/receiver pairs) ofthe same type may also be employed, if desired.

As discussed in more detail below in connection with FIGS. 41 and 42,the transceiver 204 may, for example, serve as the transmitter andreceiver of an RFID transponder used to respond to an interrogationsignal from an interrogator 116.

In one illustrative embodiment, the user input device 206 is implementedas part of a touch-screen display used as the display 216 (describedbelow). Additionally or alternatively, the user input device 206 mayinclude dedicated buttons, a keypad, a touch pad, a microphone andspeech recognition software, a wand or joystick, or any other suitableimplement that permits a person to provide input to the controller 202.The user input device 206 may also be integrated into the fingerprintscanner 220 or into an alternative bio-metric input device. Bymanipulating the user input device 206, a Pocket Vault holder may selectone of a number of media stored in memory of the Pocket Vault 102 fordisplay and/or use in connection with a transaction, and may otherwisecontrol or provide input to software executing on the controller 202. Inone embodiment, a keypad is employed as the user input device 206,thereby permitting the holder to input a PIN code as a means ofauthenticating the holder's identity.

The docking interface 208 may take on any of numerous forms, and theinvention is not limited to any particular type of interface device. Thedocking interface 208 may, for example, include a multi-pin plug adaptedto mate with a receptacle disposed on the interface units 104 a-c, orvice versa. The docking interface 208 may also comprise one or moreimplements (e.g., grooves or keys) to ensure that the plug or otherdocking interface 208 mates correctly with the reciprocal device on aninterface unit 104 when the two are physically mated together.

The read/write memory 210 may take on any of a number of forms, and theinvention is not limited to any particular type of memory. The memory210 may, for example, comprise a suitable non-volatile SRAM. Similarly,any suitable memory device that permits a only single write operation totake place may be employed as the write-once memory 212. The memory 210may have instructions stored therein which, when executed by thecontroller 202, cause the controller 202 to implement theroutines/software described below in connection with FIGS. 7-12 and/orFIG. 28. Of course, the memory 210 may also contain a suitable operatingsystem (e.g., Palm OS, Microsoft's Windows CE, Microsoft's Windows forSmartcards, or some similar offering), appropriate device drivers, andother software employed in connection with the controller 202 and/or theperipherals thereof. The memory 210 may also be used to store thevarious media and personal information retained by the Pocket Vault 102.In one illustrative embodiment, the memory 210 stores a plurality ofdifferent media issued by different and unrelated media issuers,including both financial (e.g., a credit or debit card) andnon-financial media (e.g., a drivers license or a library card). Otherexamples of media or information that may be stored in the memory 210include: a social security card, identification cards, membership cards,discount cards, commuter passes, toll passes, data for various RFI )tags, transit cards, access tools such as hotel keys, business cards,coupons, concert and theatre tickets, transportation tickets, frequentcustomer cards (e.g., a frequent flier card), medical information cards,receipt information, photographs, etc.

As used herein, “financial media” refers to any media which can, as amatter of course, be used to purchase goods or services, whereas“non-financial media” refers to any media which, while possibly havingsome value to the Pocket Vault holder, cannot, as a matter of course, beused to purchase goods or services. Examples of financial media includevalue-linked and value-based media such as debit or credit cards issuedby a bank or other financial institution, telephone calling cards, etc.Examples of non-financial media include: library cards, driver'slicenses, building access cards, etc. In one embodiment, the memory 210is large enough to store as many as one hundred compressed graphic imagefiles, and full data sets for as many as one hundred types of media.

In addition, the memory 210 may store status information, where useful,for each type of media. Examples of this sort of status informationinclude: information regarding the value remaining on a pre-paid phonecard, information regarding an accumulated number of frequent fliermiles, information regarding a total number of cups of coffee that havebeen purchased at a particular coffee shop (e.g., in connection with abuy-ten-get-one-free special), etc. The portion of the memory 210devoted to memory storage may be divided into three sections: (1) ahigh-security section, (2) a medium security section, and (3) anon-secure section. The high security section may be used to storevalue-based or value-linked media such as debit and credit cards andcertain ID information such as driver's licenses, passports, buildingsecurity passes, etc. The medium security section may be used to storelow-value, limited use media that may be accessed, for example, byretailers to keep track of frequent purchase credits or the like. Thenon-secure section may, for example, be used to store notes, membershipID records, emergency contact information, etc. Access to theinformation included in the various sections may require security oruser authentication procedures commensurate with the indicated securitylevel. For example, an accurate fingerprint scan and an accurate pincode entry may be required to access the high-security section, only anaccurate PIN code entry (even by the retailer) may be required to accessthe medium-security section, and anyone may be permitted to access thenon-secure section.

The power manager 214 may comprise any of numerous devices, and theinvention is not limited to any particular type of powersupply/management device. The power manager may, for example, employ aflat, rechargeable, lithium battery, and associated regulator and powermanagement software. Alternatively, the battery used may benon-rechargeable and/or coin cell-shaped. Solar powered cells may alsobe a viable option as at least a supplement to battery power, if not aprimary source of power for the Pocket Vault 102. This may be madepossible because of the typically modest on-time requirements for aPocket Vault 102. Power management software may also assist inminimizing the power consumption of the Pocket Vault 102. Such softwaremay, for example, invoke an auto-shutdown feature after a preference-setnumber of seconds, may control the level of screen back-lighting inresponse to feedback received from a photo-sensor that registers ambientlight, and/or may provide battery charge level warnings to Pocket Vaultholders.

The indicator 215 may be any device capable of generating a perceptibleindication to the holder such as a bell, chime, buzzer, light,vibration, etc., and the invention is not limited to any particular typeof device for accomplishing such a result. In one embodiment, forexample, the indicator is a chime generator that generates a “chime”sound that can be heard by the Pocket Vault holder.

Any of a number of devices may also be used for the display 216, and theinvention is not limited to any particular type of display. As mentionedabove, in one embodiment, a touch-screen display may be employed suchthat at least a portion of the functionality of the user input device206 may be incorporated therein. Suitable displays may, for example,include any of a black & white, gray-scaled, or color LCD display, or anLCD bi-stable display.

As mentioned above, the use of the display 216, together with the userinput device 206 (which may constitute the touch-screen functionality ofthe display 216) permits the Pocket Vault holder to flip or scrollthrough the various media stored in the memory 210 in much the same wayas a person flips through the contents of his or her wallet. Asmentioned above in connection with the description of the indicator 215,in addition to or in lieu of the display 216, other user output devicesmay also be employed to provide information to the Pocket Vault holder.For example, light emitting diodes (LEDs), a beeper or buzzer, a speechsynthesizer, a vibrator, etc., may be employed in some embodiments ofthe Pocket Vault 102.

The token port 218 of the Pocket Vault 102 may comprise a cavity or slotin which the token 102 a is retained until it is released to be used toengage in a transaction, as well as the hardware employed to secure thetoken 102 a in place when the token 102 a has not been authorized to bereleased. In one embodiment, the token 102 a stores a unique (andpossibly encrypted) chip ID which is accessible to another device onlywhen the token 102 a is successfully released form the token port 218.In addition to the elements described above, the card port 218 mayinclude additional hardware employed in connection with properlygenerating or configuring the token 102 a prior to its release. Thishardware is discussed in more detail below in connection with FIG. 6.

The fingerprint scanner 220 may comprise any device capable ofaccurately scanning a fingerprint of an individual for comparison withone or more fingerprint images stored in memory. The fingerprint scanner220 may, for example, be a solid-state (non-optical) device. Devicesthat may be suitable for use as the fingerprint scanner 220 areavailable, for example, from Veridicom, Inc., of Santa Clara, Calif.(www.veridicom.com), from Polaroid Corporation of Cambridge, Mass.(www.polaroid.com), and from Identix Incorporated of Sunnyvale, Calif.(www.identix.com). The fingerprint scanner 220 may incorporate atemperature sensor that enables it to ensure that a live finger iscontacting the scanning surface when the scanning function is employed.In addition to or in lieu of a fingerprint scanner, other bio-metricscanning devices may also be employed to verify the identity of theholder. For example, some embodiments may employ a charge coupled device(CCD) to serve as an iris or retina scanner, an optical sensor, and/or avoiceprint. Alternatively or additionally, a keystroke rhythm may bemeasured, either alone or in combination with another userauthentication technique (e.g., a successful PIN code entryrequirement), to validate the identity of the holder. The fingerprintscanner 220 and/or other bio-metric scanners may have touch padcapabilities built into them, thereby permitting them to constitute atleast a part of the user input device 206 shown in FIG. 2.

FIG. 3 is a block diagram showing an example embodiment of one of theinterface stations 104 a-c shown in FIG. 1. The hardware employed toimplement each of the stations 104 a-c may be identical to the others ormay be substantially different, depending on the environment in whichthe station 104 is to be used, as well as the functional requirements ofthe particular station. Therefore, while the example embodimentdescribed herein may be suitable for use as any of the stations, itshould be appreciated that each of the stations may, in fact, beconfigured quite differently than the others.

As shown in FIG. 3, each interface station 104 may include both an theinterface station computer 304 and a pocket vault interface unit 302.The interface station computer 304, for example, may be a standarddesktop personal computer (PC), and may, as shown, comprise a controller308, a user input device 318, a memory 320, a modem 322, and a display324. These components are well known in the art and therefore will notbe described in detail herein. The memory 320 of the interface stationcomputer 304 may have instructions stored therein which, when executedby the controller 308, cause the controller to implement the routinedescribed below in connection with FIGS. 14-18 as well as any othersoftware, e.g., a browser, drivers, etc., executing on the interfacestation computer 304.

The pocket vault interface unit 302 is coupled to the interface stationcomputer 304 such that a controller 306 of the pocket vault interfaceunit 302 can communicate with the controller 308 of the interfacestation computer 304. The communications interface between these devicesmay, for example, comprise a Smartcard, Bluetooth or USB interface. Asshown, in addition to the controller 306, the pocket vault interfaceunit 302 may comprise a transceiver 310, a docking interface 312, afinger print scanner 316, a stripe reader 315, and a memory 314.Further, although not shown in FIG. 3, the pocket vault interface unit302 may also comprise a display and/or another device used to providefeedback to the operator, e.g., an audio indicator or LED.

The stripe reader 315 may be any conventional device for electronicallyreading the magnetic stripe on a token card such as a credit/debit cardor drivers license. The stripe reader 315 may be used, for example, toread information from a token card so that such information can bedownloaded to the network server 114 or the Pocket Vault 102.

The memory 314 may be any conventional memory suitable to store thesoftware executed by the controller 306, as well as any data, e.g.,stored fingerprint data, used in connection therewith. For example, thememory 314 of the pocket vault interface unit 302 may have instructionsstored therein which, when executed by the controller 306, cause thecontroller 306 to implement the routine described below in connectionwith FIG. 13.

As with the transceiver 204 of the Pocket Vault 102, the transceiver 310of the pocket vault interface unit 302 may be any type of transceiver(or separate transmitter and receiver) capable of communicating with theother devices in the network 100 to enable the functionality describedherein. For example, either an RF or an IR transceiver may be employed.Some embodiments may even include both an IR and an RF transceiver to beused in different applications. For example, an IR transceiver may beemployed to interface the pocket vault interface unit 302 with a PocketVault 102, and a separate RF transceiver may be employed to communicateover a wireless network such as Bluetooth.

As with the docking interface 208 of the Pocket Vault 102, the dockinginterface 312 of the pocket vault interface unit 302 may take on any ofnumerous forms, and the invention is not limited to any particular typeof interface device. The docking interface 312 may, for example, includea multi-pin plug adapted to mate with a receptacle used as the dockinginterface 208 of a Pocket Vault 102, or vice versa. The dockinginterface 312 may also comprise one or more implements (e.g., keys orgrooves) to ensure that the plug or the like of the docking interface208 of the Pocket Vault 102 mates correctly with the correspondingimplement of the docking interface 312 when the Pocket Vault 102 andpocket vault interface unit 302 are physically mated together.

Finally, as with the fingerprint scanner 220 of the Pocket Vault 102,the fingerprint scanner 316 of the pocket vault interface unit 302 maycomprise any device capable of accurately scanning a fingerprint of anindividual for comparison with one or more fingerprint images stored inmemory. The fingerprint scanner 316 may, for example, be a solid-state(non-optical) device. Devices that may be suitable for use as thefingerprint scanner 220 are available, for example, from Veridicom,Inc., of Santa Clara, Calif. (www.veridicom.com), from PolaroidCorporation of Cambridge, Mass. (www.polaroid.com), and by IdentixIncorporated of Sunnyvale, Calif. (www.identix.com). The fingerprintscanner may incorporate a temperature sensor that enables it to ensurethat a live finger is contacting the scanning surface when the scanningfunction is performed. In addition to or in lieu of a fingerprintscanner, other bio-metric scanning devices may also be employed toverify the identity of the interface station operator. For example, someembodiments may employ a charge coupled device (CCD) to serve as an irisor retina scanner, an optical sensor, and/or a voiceprint. Alternativelyor additionally, a keystroke rhythm may be measured, either alone or incombination with another user authentication technique (e.g., asuccessful PIN code entry requirement), to validate the identity of theoperator. Although not shown, the pocket vault interface unit 302 mayadditionally comprise one or more user input devices enabling theoperator to control or provide input to the pocket vault interface unit302 or the software executing thereon. The fingerprint scanner 316and/or other bio-metric scanners may, for example, have touch padcapability capabilities built into them, thereby permitting them toconstitute such a user input device. Separate user input devices mayalso be employed.

FIG. 4 shows an example embodiment of the network server 114 shown inFIG. 1. As shown, the network server 114 may comprise one or morecontrollers 402, as well as a local memory 404, a database 406, and atransceiver 408 coupled thereto. The illustrated components of thenetwork server 114 are well known, and therefore will not be describedin detail. The transceiver 408 may, for example, be used to communicatewith other devices in the network system 100 (FIG. 1) using a wirelessnetwork such as Bluetooth. The controller 404 may also communicate withother network devices via the Internet or a direct connection such asthe type established using a dial up modem.

The local memory 404 may have instructions stored therein which, whenexecuted by the controller 402, cause the controller 402 to implementthe routines described below in connection with FIGS. 19-25 and/or FIGS.30-39. In some embodiments, the local memory 404 and/or database 406 actas a website and execute software which may be accessed by a browser orsimilar software module operating on a computer. One such embodiment isdescribed below in connection with FIGS. 28-39.

The database 406 may, for example, comprise a relational database, andmay be used to store the majority, if not all, of the data maintained bythe network server 114. The database 406 may, for example, keep areal-time record of critical reference data along with transactionhistories, back-up files, and security audit trail information for keyevents. Examples of specific items that may be stored in the database406 include: a list of current Pocket Vault holders and appropriatecontact information for each; records regarding the versions of softwareloaded onto each Pocket Vault 102, each pocket vault interface unit 302,and each interface station computer 304; a list of currently authorizedor registered Pocket Vaults 102, identified by chip ID and linked to theholder list; a list of currently authorized or registered tokens 102 a,identified by chip ID and linked to the holder list; a list of currentlyauthorized locations for interface stations 104 and telephone or otheraccess lines therefor, including business information for each suchlocation and an indication as to the type of interface station 104 it is(e.g., a validation interface station, a personal interface station, ora commercial interface station); a list of currently authorized orregistered interface station operators and the interface stations 104with which they are associated; a list of currently authorized orregistered interface stations 104, identified by chip ID and linked tothe list of authorized operators therefor, as well as encrypted cookieID information (if any) for the respective interface stations 104;authorized media data received from media issuers that has not yet beendownloaded to individual Pocket Vaults 102; backup data sets forindividual Pocket Vault holders; detailed transaction histories forPocket Vault registrations indicating where each Pocket Vault 102 wasshipped from and to, where each Pocket Vault 102 was registered, whichauthorized interface station operator conducted the registrationprocess, when that authorized operator was added to the list ofauthorized operators at a particular location, who submitted the keyinformation to add the operator, which corporate representativeassociated with the network server 114 met with which representativeassociated with the interface station in establishing each new locationfor a validation interface station 104 a, to whom and when each PocketVault 102 was issued; and communication encryption protocols. EachPocket Vault account defined on the network server 114 may be defined tosupport multiple Pocket Vaults 102, as well as to identify other familymembers who may share certain contents of the Pocket Vaults 102 (e.g.,family membership in a local museum).

The network server 114 may analyze data regarding consumer transactions,and thereby accumulate demographic information. Using this information,merchants, media issuers, and/or advertisers may, for example, definetargeted marketing programs, which the network server 114 may thendeliver to Pocket Vault holders that meet particular demographicprofiles.

FIG. 5 shows how the memory 210 of the Pocket Vault 102 (FIG. 2) may beorganized (conceptually) in accordance with one embodiment of theinvention. The purpose of each of the illustrated memory components willbe readily understood by those skilled in the art of the invention, andtherefore will not be explained in detail.

FIG. 6 is a block diagram showing an example embodiment of the token 102a shown in FIGS. 1 and 2. As shown, the token 102 may be equipped with acontroller 602. In the embodiment shown, the controller 602 may beselectively programmed, for example, via interface terminals 606 togenerate a current in a wire loop 608 so as to generate a magnetic fieldabout the wire loop 608 that simulates a magnetic stripe of a standardcredit card-like token. In other words, a magnetic field may begenerated along the edge of the token 102 a as if a magnetic stripe werepresent on that edge. The location of the simulated magnetic stripe onthe token 102 a is identified in FIG. 6 as a virtual magnetic stripe610.

Appropriate software may be loaded onto the controller 602 (e.g., in anon-board memory of the controller 602) so as to enable the controller togenerate the virtual magnetic stripe 610. When the token 102 a isdisposed in the token port 218, the terminals 606 of the token 102 a mayengage corresponding terminals of the token port 218, thereby enablingthe controller 602 to be programmed appropriately. The programming ofthe controller 602 may be effected, for example, in response to commandsfrom the controller 202 of the Pocket Vault 102, which commands may begenerated in response to software executing on the controller 202.

As shown, the controller 602 may be powered by an appropriateresistor-capacitor (RC) circuit which stores a charge that decays overtime. The RC circuit may be initially charged via the terminals 606 whenthe token 102 a is disposed in the token port 218 and the controller 602is being programmed. After the token 102 a is removed from the tokenport 218, the controller 602 will remain powered only so long assufficient charge remains stored by the RC circuit 604. Because thecontroller 602 can generate the virtual magnetic stripe 610 only when itis driven by an adequate power supply, the virtual magnetic stripe willdisappear after the charge in the RC circuit 604 has decayed beyond acertain threshold level. Because the decay of an RC circuit isreasonably predictable, the virtual magnetic stripe 610 is disposed onthe token 102 a only for a finite, predetermined period of time afterthe token 102 a is removed from the token port 218. In one embodiment,after the controller 602 loses power, the information with which it wasprogrammed to enable it to generate the virtual magnetic stripe 610 isalso lost. Therefore, the virtual magnetic stripe 610 of the token 102 acannot be used again until the controller 602 is again powered up andreprogrammed. Alternatively, the controller 602 may cut off the power tothe wire loop 608 after a preset amount of time or an amount of timedetermined by the Pocket Vault holder (possibly within preset limits).Additionally or alternatively, the token 102 a may have its own embeddedchip ID, which may be accessible only when the token 102 a issuccessfully released form the token port 218.

In some embodiments, the token 102 a may possess the characteristics ofa bank-issued Smartcard, either in addition to or in lieu of the virtualmagnetic stripe 610. Accordingly, the token 102 a may include aspecialized Smartcard chip or the controller 602 may be programmed tomimic such a chip. In any event, the token 102 a may be preloaded withthe bank's chip operating system (OS) and possibly customer-specificsecure information. In such embodiments, the functionality of theSmartcard components may, for example, be enabled only in response tosuccessful authentication of the Pocket Vault holder, e.g., using thefingerprint scanner 220 of the Pocket Vault 102. Therefore, thecustomer-specific “Smartcard” information may remain inaccessible solong as the Pocket Vault holder's identity has not been authenticatedusing the Pocket Vault 102.

In addition to or in lieu of the virtual magnetic stripe 610 and/orSmartcard components described herein, the token 102 may have disposedon it a conventional magnetic stripe that can be selectively written toby a magnetic read/write head in the Pocket Vault 102 before the token102 a is released from the token port 218. Like the other embodimentsdescribed above, the programming and/or use of such a token 102 a couldbe restricted until after the identify of the Pocket Vault holder hasbeen verified via biometric authentication, PIN code entry, orotherwise.

Moreover, in some embodiments, the token 102 a may also have disposed onit a flexible LCD 612 or other suitable display mechanism or device.Prior to ejection of the token 102 a from the token port 218, the PocketVault 102 may transfer information to the token 102 a (e.g., viaterminals 606) for display on the LCD 612. This transfer may either bedirect or indirect (e.g., via a separate integrated circuit on the token102 a), and may involve the transfer of alphanumeric information (whichmay or may not include a hash code) and/or graphics, such as icons orbarcodes. This information transferred may be encrypted, andde-encryption may be employed either in the separate integrated circuiton the token 102 a or in a processor packaged with the LCD 612. In anyevent, the LCD 612 may receive the proper data to display, which wouldmatch all or part of the code stored on the card by means of the virtualmagnetic stripe 610, a writeable magnetic stripe, Smartcard simulationcircuitry, etc.

In some embodiments, the LCD 612 may be powered by a capacitorconfigured and arranged to drain after a preset time, thereby renderingthe LCD 612 inoperable until programmed again by the Pocket Vault 102.Thus, even if the token 102 a were still swipeable or otherwise useable,a merchant could opt not to accept it because the requisiteauthorization information would not longer be displayed forcertification purposes.

Instead of or in addition to an LCD or other type of display, somesuitable technology may be employed to cause account information, andperhaps other information that is typically embossed or printed oncredit cards or Smartcards, to appear temporarily on the token 102 aafter the token 102 a is ejected from the token port 218. One technologythat may be appropriate for this purpose is available from E-ink(www.Eink.com).

Thus, when an LCD display, a temporary ink technology, or the like, isemployed on the token 102 a, not only may the token 102 a be selectivelyconfigured to have an actual or simulated magnetic stripe (or Smartcardpersonality) like a typical credit card or Smartcard, but it also may beconfigured to display information that is typically embossed or printedon such cards, including security enhancing information.

When used by a consumer, retailers may verify authenticity by matchingthe information displayed on the token 102 a with that revealed in theswipe or other token reading process. Without a match, the token 102 amay be rejected.

As discussed above, in some embodiments of the Pocket Vault 102, thetransceiver 204 (FIG. 2) may be used as the transmitter and receiver ofan RFID transponder, and thereby function as an RFID tag. Such an RFIDtag may be selectively configured to have one of several personalitiesand may be rendered operable only when the holder of the Pocket Vault102 authenticates his or her identity (e.g., in response to an accuratefingerprint scan by fingerprint scanner 220).

To appreciate the manner in which the Pocket Vault 102 may achieve thisfunctionality, a prior art RFID tag system (shown in FIG. 41) will bebriefly described. An RFID system includes at least one “RFID tag” andat least one “interrogator.” The interrogator communicates with the RFIDtag via an RF signal at some suitable frequency, e.g., somewhere between10 kilohertz and about 5 gigahertz. The distance between the RFID tagand the interrogator can be as short as near contact or as far as tensof feet away, depending upon the specific technology used. In mostapplications the RFID tag is a sealed device with no displays or usercontrols. The interrogator can be a hand held device that is manuallyoperated or can be automated and included in a piece of stationaryequipment, for example, at a parking garage, a toll booth, or a servicestation.

When the RFID tag comes within range of the interrogator, the twodevices communicate in a session that may be a one-way read of the RFIDtag information by the interrogator, or may be a two-way session inwhich the interrogator stores information in the RFID tag. Theinformation stored in an RFID tag is typically an identification codesuch as a serial number. An RFID tag therefore functions much like a barcode, except that it is read by RF. To prevent counterfeiting, theinformation released from an RFID tag may be signed with a one-waycryptographic key so that it is difficult to decode or duplicate thecode.

There are four possible types of RF HD tags: (1) active, read only RFIDtags, (2) passive, read only RFID tags, (3) active, read/write RFIDtags, and (4) passive, read/write RFID tags. Read only RFID tags haveinformation that is stored in them at time of manufacture and can onlybe read (and not written to) by the interrogator. A Read/Write tag mightinclude a mix of read only information but will have some memory in thetag that can be altered by the interrogator. A passive tag has nobattery or other permanent energy source. An active tag, on the otherhand, has a battery or is plugged into an external energy source.

An example of a prior art RFID tag 4100 is shown in FIG. 41. As shown,the RFID tag 4100 is a self-contained electronic device that includes areceiver 4102 a and a transmitter 4102 b that share an antenna 4104 andare connected to a micro-controller 4106. The micro-controller 4106 isfurther connected to either a read-only memory 4108 a or a read/writememory 4108 b. The RFID tag 4100 is powered by rectifying the RF energysupplied to the antenna 4104 by the interrogator (not shown). If theRFID tag 4100 were of the “active” type, then an internal battery (notshown) would be employed.

In operation, when the RFID tag 4100 receives an interrogation signalfrom an interrogator (not shown) via the antenna 4104 and receiver 4102a, the micro-controller 4106 retrieves the tag's serial number from thememory 4108 and passes it to the transmitter 4102 b and antenna 4104 forRF transmission to the interrogator. When a read/write memory 4108 b isemployed, the micro-controller 4106 may also write information receivedfrom the interrogator to that memory.

In addition to typical electronic transponders such as that shown inFIG. 41, there also exist some RFID technologies that use non-electronicRFID tags. For example, interrogators can gather information from sometypes of RFID tags based solely on some physical property of the tags.For example, each RFID tag may employ several variable length antennason a dielectric substrate, so that the interrogator can detect thelength of the antennas present by sweeping through a range offrequencies. The specific pattern of antennas on the substrate therebyforms a unique code that can be recognized by the interrogator. Yetanother approach is to use a surface acoustic wave (SAW) filter in whicha surface electrode pattern determines a particular code that can beread by an interrogator.

Once programmed, the prior art RFID tag 41 00 performs a single,dedicated function, namely, to release a serial number stored in memory4108 in response to an interrogation signal, and there exists no controlover who can use it for that purpose. In contrast, in some embodimentsof the present invention, an RFID tag is provided wherein thepersonality of the tag, e.g., the code that is released uponinterrogation, can be selected by the user from a number of possiblepersonalities, and/or wherein the RFID tag can be rendered operationalonly by authorized users.

An example embodiment of an RFID tag system 4200 configured inaccordance with this aspect of the invention is shown in FIG. 42. Asshown, the system 4200 may include an RFID tag 4202 that is identical tothe prior art RFID tag 4100, except that memory 4108 of the prior artdevice has been bypassed or replace by an I/O connection 4204 to thePocket Vault 102. In such an embodiment, the Pocket Vault 102, ratherthan the memory 4108, can supply the information to the micro-controller4106 of the RFID tag 4202 that is to be released to the interrogator(via the transmitter 4102 b and antenna 4104) in response to aninterrogation signal from the interrogator.

Accordingly, in such an embodiment, the information that is to bereleased by the RFID tag 4202 in response to an interrogation signal maybe controlled by the holder of Pocket Vault 102. The Pocket Vault'sholder may therefore select the personality to be taken on by the RFIDtag 4202, for example, by using the user input device 206 (FIG. 2) toscroll through various personalities for the RFID tag 4202 that aredisplayed on the display 216, much like the holder is able to select adesired personality that is to be taken on by the token 102 a. Theholder of the Pocket Vault 102 could therefore, for example, at one timeselect a “FastLane” personality for the RFID tag 4202, enabling the RFIDtag to respond to an interrogator at a toll booth, and then at anothertime select a “Mobile Speedpass” personality, enabling the RFID tag torespond to an interrogator at a Mobile Service Station.

In some embodiments, at least some aspects of the RFID functionality ofthe Pocket Vault 102 may be exploited only after the identity of thePocket Vault holder has been authenticated, e.g., using the fingerprintscanner 220 or by proper PIN code entry, thereby providing a level ofsecurity for RFID tags that has not heretofore been provided. The PocketVault 102 may, of course, permit some non-secure RFID personalities tobe taken on by the RFID tag 4202 even without holder authentication.

In some embodiments, the data passed to the RFID tag 4202 can be made tobe dependent not just on the recognition of a fingerprint, but based onan actual number tied to a feature extracted from the fingerprint. Forexample, the area of the finger may be such a feature. The number maythen be used as a seed to a cryptographic code generator that createsthe data to be sent to the RFID tag 4202.

In the embodiment shown in FIG. 42, the I/O connection 4204 between thePocket Vault 102 and the RFID tag 4202 may be established in any of anumber of ways and the invention is not limited to any particularmechanism or technique for establishing such a connection. In someembodiments, for example, the controller 202 of the Pocket Vault 102 maycommunicate with the micro-controller 4106 of the RFID tag 4202 via acable connected between serial or parallel ports on the two devices.Alternatively, the two devices may be directly mated to one another insome suitable manner, or may communicate wirelessly if suitable securityprecautions are taken. The docking interface 208 of the Pocket Vault 102may even provide a suitable mechanism for mating the two devices.

In some embodiments, the Pocket Vault 102 may have a separate memory(not shown in FIG. 2) dedicated to the storage of the RFID tagpersonality that is to be taken on by the RFID tag 4202, and the I/Oconnection 4204 may give the micro-controller 4106 of the RFID tag 4202access to that memory. Alternatively, as mentioned above, thepersonality of the RFID tag 4202 may be communicated directly from thecontroller 202 of the Pocket Vault 102 to the micro-controller 4106 ofthe RFID tag 4202 via the I/O connection 4204.

The functionality of the RFID tag 4202 may additionally or alternativelybe built directly into the Pocket Vault 102 (FIG. 2), rather thatexisting as a separate item. In some embodiments, for example, thefunctionality of the transceiver 4102 and micro-controller 4106 of theRFID tag 4202 may be embodied by the transceiver 204 and the controller202 of the Pocket Vault 102. Alternatively, the Pocket Vault 102 mayinclude a separate micro-controller, transceiver and/or memory dedicatedto the RFID functionality discussed above. In yet another alternativeembodiment, the functionality of the RFID tag 4202 may be embodied onthe token 102 a or on different device that may be selectively releasedfrom the housing of the Pocket Vault 102. The token 102 a or otherreleasable device may, for example, include a memory that stores aselected personality for an RFID tag for only a predetermined, finiteperiod of time, and then goes blank.

In some embodiments, the Pocket Vault 102 may also control the contentof RFID tags that do not use an electronic circuit. This control can beaccomplished in a number of different ways, and the invention is notlimited to the use of any particular technique. In one embodiment, forexample, the Pocket Vault 102 may activate one or more switches to shortout one or more antennas, thereby changing the RFID code represented bythem. As with the other embodiments, this selective configuration of anRFID tag may at least in certain circumstances be permitted only afterproper authentication of the Pocket Vault holder's identity.

It should be appreciated that the RFID functionality discussed aboveneed not be combined with some or all of the other aspects of the PocketVault 102. For example, some embodiments of the invention may comprisesimply an RFID tag for which one of several personalities can beselected by the user, and/or an RFID tag that is selectively enabledonly following proper user authentication, e.g., using a fingerprintscanner or PIN code entry.

As mentioned above, FIGS. 7-12 are flow diagrams illustrating an exampleimplementation of software that may be executed by the controller 202 ofthe Pocket Vault 102. As described below, this or additional proprietarysoftware may enable menu structures, handle preference management,provide the data on and safeguard the programmability of the virtualmagnetic stripe 610 (if so equipped), and ensure proper encryption datamanagement. In one embodiment, local software for each Pocket Vault 102and pocket vault interface station 104 may be upgraded from time to timeby automatic download from the network server 114.

During execution of the routines of FIGS. 7-12, various items may bedisplayed on the display 216, including prompts or icons regarding userinput options (when a touch-screen display is employed as the display216 or a point and click mechanism is employed herewith), and variousitems may also be displayed on the token 102 a when the token 102 a isejected from the token port 218 of the Pocket Vault 102. FIGS. 26A-Pshow examples of how the display 216 and the token 102 a may appear asthe routines of FIGS. 7-12 are executed, and therefore will be discussedin connection with the description of these routines.

FIG. 7 is a flow diagram illustrating an example implementation of aprimary routine 700 that may be executed by the controller 202 of thePocket Vault 102. Instructions for the routine 700 may be stored, forexample, in the “applications” section 508 of the memory 210 of thePocket Vault 102.

As shown, the routine 700 begins at a step 702, wherein it is determinedwhether the Pocket Vault holder has applied his/her fingerprint to thefingerprint scanner 220 of the Pocket Vault 102. At the step 702, thedisplay 216 of the Pocket Vault 102 may appear as shown in FIG. 26A.That is, the display 216 may be blank at the step 702, as the PocketVault 102 is currently powered down.

When, at the step 702, it is determined that the holder has appliedhis/her fingerprint to the fingerprint scanner 220, the routine 700proceeds to a step 704, wherein the power manager 214 powers on thePocket Vault 102. The routine 700 otherwise waits at the step 702 untilthe Pocket Vault holder has applied a fingerprint to the fingerprintscanner 220. Is should be appreciated, however, that, in someembodiments, the step 702 may not represent an instruction set executedby the processor 202. Instead, the step 702 may represent the detectionof the occurrence of a physical action, e.g., the activation of ahardware switch, and the power manager 214 may be activated in responseto the detection of such an action, without requiring intervention bythe processor 202.

After the step 704, the routine 700 proceeds to a step 706, wherein thefingerprint scanner 220 scans the applied fingerprint of the PocketVault holder.

After the step 706, the routine 700 proceeds to a step 708, wherein itis determined whether the Pocket Vault 102 has been validated. In oneembodiment, the Pocket Vault 102 is not validated until: (1) a user'sfingerprints have been stored in the fingerprint memory (e.g., thewrite-once memory 212 of FIG. 2), and (2) the Pocket Vault 102 hasreceived and stored encrypted validation information (e.g., a PKIcertificate) from the network server 114, as described below.

When, at the step 708, it is determined that the Pocket Vault 102 hasnot yet been validated, the routine 700 proceeds to a step 710, whereina PROCESS POCKET VAULT VALIDATION routine (described below in connectionwith FIG. 8) is executed.

When, at the step 708, it is determined that the Pocket Vault 102 hasalready been validated, the routine 700 proceeds to a step 712, whereinit is determined whether Pocket Vault 102 has been authenticated, e.g.,whether the fingerprint scanned at the step 706 matches one of thefingerprints stored in the fingerprint memory 212.

When, at the step 712, it is determined that the Pocket Vault has notbeen properly authenticated, the routine 700 proceeds to a step 714,wherein an UNAUTHORIZED HOLDER routine (discussed below in connectionwith FIG. 9) is executed. FIGS. 26B-D show how the display 216 of thePocket Vault 102 may appear during the UNAUTHORIZED HOLDER routine, andtherefore are also discussed below in connection with FIG. 9.

When, at the step 712, it is determined that the Pocket Vault 102 hasbeen properly authenticated, the routine 700 proceeds to a step 713,wherein an encrypted message including the unique Pocket Vault chip IDis transmitted to the pocket vault interface unit 302, in the event thatthe Pocket Vault 102 is interfaced or in communication with such adevice.

In some embodiments, before a Pocket Vault holder is granted access tothe contents of his or her Pocket Vault 102, a check may be made toensure that the components used to interface the Pocket Vault 102 withthe other components in the network 100 (either wirelessly or directly)are in place and operating correctly, and have not been compromised.Alternatively, the operability and integrity of such components may bechecked just prior to their use.

Moreover, in some embodiments, prior to granting a holder access to thecontents of the Pocket Vault 102, a check may be made to ensure that thecontents of the Pocket Vault 102 have been updated recently. Forexample, the Pocket Vault 102 may forbid its holder from accessing itscontents if the Pocket Vault 102 has not been updated at least 48 hours(or some other specified time period) prior to the attempted use.Updating of the Pocket Vault 102 may be accomplished, for example, usingthe synchronization or backup and recovery methods described herein.

After the step 713, the routine 700 proceeds to a step 716, wherein itis determined whether the Chameleon Card (i.e., the token 102 a) ispresently on-board the Pocket Vault 102 (i.e., whether the token 102 ais disposed within the card port 218 of FIG. 2).

When, at the step 716, it is determined that the token 102 a is noton-board the Pocket Vault 102, the routine 700 proceeds to a step 718,wherein the Pocket Vault holder is informed that the Chameleon Card isnot on board, and is asked whether he/she wants to engage in a non-cardtransaction (i.e., a transaction not involving the token 102 a).

After the step 718, the routine 700 proceeds to a step 720, wherein itis determined whether the holder has selected to engage in a non-cardtransaction.

When, at the step 720, it is determined that the holder has selected notto engage in a non-card transaction, routine 700 returns to the step 716(described above), wherein it is again determined whether the ChameleonCard is on board the Pocket Vault 102. Therefore, the holder ispermitted to engage in a transaction involving the Chameleon Card onlywhen it has been confirmed that the Chameleon Card is on board thePocket Vault 102.

When, at the step 720, it is determined that the holder has selected toengage in a non-card transaction, the routine 700 proceeds to the step722, wherein the AUTHORIZED HOLDER routine (discussed below inconnection with FIGS. 10 and 11) is executed.

When, at the step 716, it is determined that the Chameleon Card ison-board the Pocket Vault 102, the routine 700 also proceeds to the step722, wherein the AUTHORIZED HOLDER routine (discussed below inconnection with FIGS. 10 and 11) is executed. FIGS. 26G-N and 26P showhow the display 216 of the Pocket Vault 102 and the token 102 a ejectedtherefrom may appear (when employed) during the AUTHORIZED HOLDERroutine, and therefore are also discussed below in connection with FIGS.10 and 11.

After each of the steps 710, 714, and 720 (only one of which is executedduring each iteration of the routine 700), the routine 700 proceeds to astep 724, wherein the VERIFY CARD RETURN routine (discussed below inconnection with FIG. 12) is executed. FIG. 260 shows how the display 216of the Pocket Vault 102 may appear during the VERIFY CARD RETURNroutine, and therefore is also discussed below in connection with FIG.12.

After the step 724, the routine 700 proceeds to a step 726, wherein thescreen of the display 216 is caused to flash to indicate that the PocketVault 102 is being shut down.

After the step 726, the routine 700 proceeds to a step 728, wherein thePocket Vault 102 is powered down.

After the step 728, the routine 700 returns to the step 702, wherein thePocket Vault 102 again waits for a fingerprint to be applied to thefingerprint scanner 220, and wherein the display 216 may again appear asshown in FIG. 26A.

FIG. 8 is a flow diagram illustrating an example embodiment of thePROCESS POCKET VAULT VALIDATION routine shown in FIG. 7 (step 710).

As shown, the routine 710 begins at a step 801, wherein the holder isinformed (e.g., on the display 216) that the Pocket Vault 102 is notcurrently validated, and that the holder must interface the Pocket Vault102 with an interface unit 302 of an appropriate interface station 104(e.g., a validation interface station 104 a) if the holder desires tovalidate the Pocket Vault 102.

After the step 801, the routine 710 proceeds to step 802, wherein it isdetermined whether the Pocket Vault 102 has been interfaced with anappropriate interface unit 302.

When, at the step 802, it is determined that the pocket vault 102 hasnot yet been interfaced with an appropriate interface unit 302, theroutine 710 returns to the step 801 (discussed above).

When, at the step 802, it is determined that the Pocket Vault 102 hasbeen interfaced with an appropriate interface unit 302, the routine 710proceeds to a step 803, wherein it is determined whether the fingerprintmemory, e.g., the write-once memory 212, is empty.

When, at the step 803, it is determined that the fingerprint memory isempty, the routine 710 proceeds to a step 804 a, wherein the holder isprompted to apply a fingerprint from one finger of his or her left handto the fingerprint scanner 220, waiting for a “beep” to be emitted(e.g., by indicator 215) after each fingerprint application.

Next, during steps 806 a-810 a, the routine proceeds until thefingerprint of the selected finger has been scanned three timessuccessfully.

After the steps 806 a-810 a, the routine proceeds to a step 804 b,wherein the holder is prompted to apply a fingerprint from one finger ofhis or her right hand to the fingerprint scanner 220, waiting for a“beep” to be emitted (e.g., by indicator 215) after each fingerprintapplication.

Next, during steps 806 b-810 b, the routine proceeds until thefingerprint of the selected finger has been scanned three timessuccessfully.

After completing the steps 806 b-810 b, when a total of six fingerprintshave been stored in memory, the routine 710 proceeds to a step 812,wherein an encrypted message including the pocket vault ID istransmitted to the interface unit 302, for ultimate transmission to thenetwork server 114.

When, at the step 803, it is determined that the fingerprint memory,e.g., the write-once memory 212, is not empty, the routine 710 proceedsto a step 811, wherein it is determined whether the fingerprint scannedat the step 706 (FIG. 7) matches one of the stored fingerprints.

When, at the step 811, it is determined that the fingerprint scanned atthe step 706 does match one of the stored fingerprints, the routine 710proceeds to the step 812 (discussed above).

When, at the step 811, it is determined that the fingerprint scanned atthe step 706 does not match any of the stored fingerprints, the routine710 proceeds to a step 818, wherein an indication (e.g., a message onthe display 216 or an audio signal from the indicator 215) is generatedto inform the holder that the validation attempt was unsuccessful.

After the step 818, the routine 710 terminates.

After the step 812, the routine 710 waits at steps 814 and 816 todetermine whether an encrypted message including validation information(e.g., a PKI certificate) has been received from the interface unit 302.This encrypted validation information may, for example, be received bythe Pocket Vault 102 via either the docking interface 208 or thetransceiver 204 of the pocket vault interface unit 302 of a validationinterface station 104 a. As discussed in more detail below, thisencrypted validation information may, for example, be generated by thenetwork server 114 and forwarded to the pocket vault interface unit 302of a validation interface station 104 a (via the interface stationcomputer 304 of the validation interface station 104 a) after certainconditions have been met. The network server 114 may thereforeultimately determine whether each Pocket Vault 102 is permitted toreceive this validation information.

When, at the step 816, it is determined that the time-out period haselapsed, the routine 710 proceeds to the step 818 (discussed above).

When, at the step 814, it is determined that encrypted validationinformation has been received before the timeout period of the step 816has elapsed, the routine 710 proceeds to a step 820, wherein thevalidation information is stored in memory.

After the step 820, the routine 710 proceeds to a step 822, wherein anindication (e.g., a message on the display 216 or an audio signal fromthe indicator 215 of the Pocket Vault 102) is generated to inform theholder that the Pocket Vault 102 has been successfully validated.

After the step 822, the routine 710 terminates.

FIG. 9 is a flow diagram illustrating an example implementation of theUNAUTHORIZED HOLDER routine shown in FIG. 7 (step 714).

As shown, the routine 714 begins at a step 902, wherein a menu isdisplayed on the display 216 that permits the holder to select one ofseveral options: (1) TRY AGAIN, (2) POCKET VAULT RETURN INFORMATION, (3)EMERGENCY INFORMATION, or (4) END SESSION. FIG. 26B shows how thedisplay 216 may appear when the step 902 is reached. As shown, textualinformation and/or icons representing the various menu options may bedisplayed to the holder.

After the step 902, the routine 714 proceeds to a step 904, wherein theroutine 714 waits for one of the displayed menu items to be selected bythe holder (e.g., when the holder touches the location on the screen ofthe display 216 at which the menu item is displayed).

After one of the menu items has been selected at the step 904, theroutine 714 proceeds to a step 906, wherein it is determined whether theTRY AGAIN option was selected. By selecting TRY AGAIN, the holder mayrequest that the holder again be permitted to attempt to access thesecure contents of the Pocket Vault 102 by reapplying the holder'sfingerprint to the fingerprint scanner 220.

When, at the step 906, it is determined that the user has selected theTRY AGAIN option, the routine 714 proceeds to a step 912, wherein it isdetermined whether this is the third sequential time that the scannedfingerprint has failed to match the fingerprint stored in memory.

When, at the step 912, it is determined that three sequential failedmatches have occurred, the routine 714 proceeds to a step 914, whereincertain security precautions are taken in light of the multiple failedattempts to match the holder's fingerprint with that stored in thePocket Vault 102. For example, when multiple failed matches haveoccurred, the Pocket Vault's secure memory may be erased, a securityalert message may be broadcast by the transceiver 204 and/or any otherprudent steps may be taken to ensure that an unauthorized user does notaccess the Pocket Vault's sensitive contents.

After the step 914, the routine 714 terminates.

When, at the step 912, it is determined that this is not the thirdconsecutive time that the holder's fingerprint has failed to match thatstored in the Pocket Vault's memory, the routine 714 terminates, and theholder may then again attempt (at the step 702) to access the PocketVault 102 by reapplying his/her fingerprint to the fingerprint scanner220.

When, at the step 906, it is determined that the TRY AGAIN option hasnot been selected, the routine 714 proceeds to a step 908, wherein it isdetermined whether there exist any nested menu items for the menu itemselected at the step 904.

When, at the step 908, it is determined that nested menu items do existfor the selected menu item, the routine 714 proceeds to a step 910,wherein the nested menu items for the selected menu item are displayedto the holder on the display 216.

After the step 910, the routine 714 returns to the step 904, wherein theroutine 714 again waits for the holder to select one of the displayedmenu items.

When, at the step 908, it is determined that no nested menu items existfor the selected menu item, the routine 714 proceeds to a step 916,wherein it is determined whether the END SESSION option has beenselected.

When, at the step 916, it is determined that the END SESSION option hasbeen selected, the routine 714 terminates.

When, at the step 916, it is determined that the END SESSION option hasnot been selected, the routine 714 proceeds to a step 918, wherein theinformation, if any, for the selected menu item is displayed to theholder on the display 216. Because the step 918 is reached only after afailed attempt to match the holder's fingerprint with that stored in thememory of the Pocket Vault 102, the information displayed at the step918 may, for example, include information as to where the Pocket Vault102 may be returned if it is found by someone other than the PocketVault holder (see FIG. 26C), or may be emergency information regardingthe holder such as the holder's blood type, allergies, persons tocontact in case of an emergency, etc. (see FIG. 26D). It should beappreciated that any of a number of non-secure media may be selectedusing the menu access routine discussed above in connection with steps904-910, and may be displayed to the person accessing the Pocket Vault102, regardless of the identity of that person. Of course, thisnon-secure information may be information that the holder would not mindfalling into the hands of a stranger should the holder misplace or havehis/her Pocket Vault 102 stolen.

After the step 918, the routine 714 proceeds to a step 920, whereinafter a delay of a certain period of time (e.g., thirty seconds), theholder is prompted to reapply his/her fingerprint within a particularperiod of time (e.g., ten seconds) to avoid shut down of the PocketVault 102.

After the step 920, the routine 714 proceeds to a step 922, wherein itis determined whether a fingerprint has been reapplied to thefingerprint scanner 220 within ten seconds.

When, at the step 922, it is determined that a fingerprint has beenreapplied to the fingerprint scanner 220 within ten seconds, the routine714 returns to the step 918 (discussed above), wherein the selectedinformation is again displayed to the user.

When, at the step 922, it is determined that a fingerprint has not beenreapplied to the fingerprint scanner 220 within ten seconds, the routine714 terminates.

FIG. 10 is a flow diagram illustrating an example implementation of theAUTHORIZED HOLDER routine of FIG. 7 (step 722).

As shown, the routine 722 begins at a step 1002, wherein it isdetermined whether an advertisement is scheduled for display on thePocket Vault 102. Information regarding whether certain advertisementsare to be displayed by the Pocket Vault 102 may have been uploaded, forexample, from the personal interface station 104 b in response to theholder previously interfacing the Pocket Vault 102 with the personalinterface station 104 b to synchronize the contents of the Pocket Vault102 with information stored on the network server 114. The advertiser108 (FIG. 1) may, for example, have made arrangements with the companyoperating the network server 114 to have certain advertising informationuploaded to Pocket Vaults 102 when particular Pocket Vault holdersinterface their Pocket Vaults 102 with their personal interface stations104 b.

When, at the step 1002, it is determined that an advertisement has beenscheduled, the routine 722 proceeds to a step 1004, wherein thescheduled advertisement is displayed, for example, for approximately twoseconds. FIG. 26I shows an example of how the display 216 may appearwhen such an advertisement is displayed.

After the step 1004, the routine 722 proceeds to a step 1006, wherein a“welcome screen” is displayed for a brief period (e.g., one second).FIG. 26G shows an example of how the display 216 may appear when such awelcome screen is displayed.

When, at the step 1002, it is determined that an advertisement is notscheduled, the routine 722 proceeds immediately to the step 1006, and noadvertisement is displayed to the Pocket Vault holder.

After the step 1006, the routine 722 proceeds to a step 1008, wherein itis determined whether a “preferred” menu has been selected or pre-setfor initial display to the Pocket Vault holder.

When, at the step 1008, it is determined that a preferred menu has beenselected or pre-set, the routine 722 proceeds to a step 1012, whereinthe display 216 fades to the preferred menu. FIGS. 26H and 26J showexamples of how the display 216 may appear when such a preferred menu isdisplayed. In the example of FIG. 26H, the preferred menu immediatelyshows the holder's preferred credit card as the selected menu item.Should the holder opt to use this media to engage in a transaction, theholder can simply choose the media directly. Alternatively, the holdermay opt to access the HOME menu or other menu items by selectingappropriate icons displayed on the screen. In the example of FIG. 26J,the preferred menu immediately shows, perhaps, a selected group of theholder's most frequently used menu items.

When, at the step 1008, it is determined that a preferred menu has notbeen selected or pre-set, the routine 722 proceeds to a step 1010,wherein the display 216 fades to a standard HOME menu of secure items.FIG. 26L shows an example of how the display 216 may appear when theHOME menu is displayed.

After either one of the steps 1010 and 1012 has been executed, theroutine 722 proceeds to a step 1014, wherein the routine 722 waits forthe holder to select one of the displayed menu items.

When, at the step 1014, it is determined that the holder has selected aparticular menu item, the routine 722 proceeds to a step 1016, whereinit is determined whether the holder has selected to enter or return tothe HOME menu.

When, at the step 1016, it is determined that the holder has selectedthe HOME option, the routine 722 proceeds to the step 1010, wherein theHOME menu of secure items is displayed.

When, at the step 1016, it is determined that the holder has selected amenu item other than the HOME option, the routine 722 proceeds to a step1018, wherein it is determined whether there exist any nested menu itemsfor the selected menu item.

When, at the step 1018, it is determined that nested menu items do existfor the selected menu item, the routine 722 proceeds to a step 1020,wherein the nested menu items for the selected menu item are displayed.Thus, the holder may work his/her way through various layers of menuitems until the desired menu item is reached. It should be appreciatedthat the menu items on the higher-level layers therefore may becategorized so as to enable the holder to quickly reach the desiredmedia or other menu option.

When, at the step 1018, it is determined that no nested menu items existfor the selected menu item, the routine 722 proceeds to a step 1022,wherein it is determined whether the holder has selected a media fromamong the available menu items.

When, at the step 1022, it is determined that the holder has notselected a media, the routine 722 proceeds to a step 1040, whereininformation relating to the selected non-media item may be displayed, orsome other function may performed in accordance with the holder'sselection. A non-media menu selection may involve, for example,preference settings for certain functional aspects of the Pocket Vault102, e.g., whether the holder has a preferred secure menu (see step1008). Preferences for the services or the device can be selected and,as appropriate, distributed to the Pocket Vault 102 either on the spotor the next time the Pocket Vault 102 is interfaced with an appropriateinterface station 104. Preferences may, for example, include definitionof home pages, connection of secure and non-secure media, order of mediapresentment, sort orders, user interface options, synchronizationdefaults, etc. Preferences that determine which items are displayed onthe home page or on other pages may be defined. For example, a PocketVault holder may set up three preference sets: one for “business,” onefor “personal,” and one for “vacation.” The “personal” and “business”preference sets may be set to be effective at different times of the dayand/or different days of the week. The “vacation” preference set may bemade effective for specific blocks of time determined by the PocketVault holder, possibly overriding the normal timing of the “personal”and “business” sets. The Pocket Vault holder may choose to establish thevarious preference settings based on his or her judgment or he or shemay choose to allow the network server 114, supported by variousdatabases, knowledge of the Pocket vault holder's various media andgoals set by the Pocket Vault holder (e.g., minimize interest cost oncredit cards or maximize frequent flyer miles, etc.), to determineoptimal media use patterns and resulting media menu contents for aparticular Pocket Vault holder. Preferences may also be defined betweenmedia that will link them for: (a) affiliate credits (like frequentflyer miles) that may be automatically presented to a merchant andtracked for a holder, (b) available discounts afforded by a membership(like senior citizen or AAA discounts), and/or (c) process improvementpurposes (e.g., when information needs to be presented in a certainorder to work properly). For example, a linkage preference mayfacilitate presentation of a discount card before presentation of apayment card when buying groceries.

After the step 1040, the routine 722 proceeds to a step 1042, whereinthe holder is prompted either to END the session, or to return to theHOME menu.

After the step 1042, the routine 722 proceeds to a step 1044, wherein itis determined whether the holder has opted to END the session or toreturn to the HOME menu.

When, at the step 1044, it is determined that the holder has selected toreturn to the HOME menu, the routine 722 proceeds to the step 1010(discussed above).

When, at the step 1044, it is determined that the holder has opted toEND the session, the routine 722 terminates.

When, at the step 1022, it is determined that the holder has selected amedia from the displayed menu items, the routine 722 proceeds to a step1024, wherein the selected media is displayed to the holder on thedisplay 216. The selected media may, for example, be a particular creditcard, in which case the name of the credit card and/or the logo for thecredit card and any preferred advertisement, specials, etc., for theselected media may be displayed to the holder as well.

After the step 1024, the routine 722 proceeds to a step 1026, whereinthe holder is prompted to choose to: (1) EJECT the card, (2) to invoke aWIRELESS transaction, or (3) to return to the HOME menu.

After the step 1026, the routine 722 proceeds to a step 1028, wherein itis determined which of these three options has been selected by theholder.

When, at the step 1028, it is determined that the holder has opted toreturn to the HOME menu, the routine 722 proceeds to the step 1010(discussed above).

When, at the step 1028, it is determined that the holder has selectedthe EJECT card option, the routine 722 proceeds to a step 1032, whereinit is determined whether the Chameleon Card is on board the Pocket Vault102 (i.e., whether the token 102 a is disposed in the token port 218).

When, at the step 1032, it is determined that the Chameleon Card is noton board the Pocket Vault 102, the routine 722 proceeds to a step 1034,wherein the holder is informed that the Chameleon Card is not on boardthe Pocket Vault 102.

After the step 1034, the routine 722 proceeds to the step 1026(discussed above).

When, at the step 1032, it is determined that the Chameleon Card is onboard the Pocket Vault 102, the routine 722 proceeds to a step 1036,wherein the PROCESS CARD TRANSACTION routine (discussed below inconnection with FIG. 11) is executed.

After the step 1036, the routine 722 proceeds to a step 1038, whereinthe VERIFY CARD RETURN routine (discussed below in connection with FIG.12) is executed.

After the step 1038, the routine 722 proceeds to the step 1042(discussed above).

When, at the step 1028, it is determined that the holder has opted toinvoke a wireless transaction, the routine 722 proceeds to a step 1030,wherein the wireless transaction involving the selected media isexecuted. This wireless transaction may be invoked, for example, usingthe transceiver 204 of the Pocket Vault 102 to communicate with thetransceiver 310 (FIG. 3) of a commercial interface station 104 c(FIG. 1) over a wireless network, such as Bluetooth. Alternatively, theselected wireless transaction may be an RFID transaction if an RFIDpersonality has been selected from amongst the available media. If suchan RFID transaction has been selected, an appropriate RFID code may besupplied to the controller responsible for broadcasting an RF signalcontaining that code in response to an interrogation signal. If thatcontroller is on the Chameleon card, then these steps may alternativelybe performed in connection with the PROCESS CARD TRANSACTION routine(step 1036) discussed below.

As mentioned above, in embodiments that permit wireless transactions, acheck of the wireless components may be made (e.g., verifying that aninternal antenna (not shown) is in place and connected, and that relatedcircuitry is not defeated or compromised in any way), prior to grantingthe holder access to the contents of the Pocket Vault 102.Alternatively, such a check may be made in response to such a wirelesstransaction being requested, e.g., at the step 1030.

After the step 1030, the routine 722 proceeds to the step 1042(discussed above).

FIG. 11 is a flow diagram illustrating an example implementation of thePROCESS CARD TRANSACTION routine of FIG. 10 (step 1036).

As shown, the routine 1036 begins at a step 1102, wherein the ChameleonCard is configured to carry the selected media, and is ejected from thecard port 218 (FIG. 2). As discussed above, the token 102 a may beconfigured to carry the selected media in any of a number of ways, andthe invention is not limited to any particular type of configurationtechnique. The card may be configured, for example, by using a magneticread/write head to write to a conventional magnetic stripe on the token102 a, by causing the token 102 a to generate a simulated magneticstripe, by causing the token 102 a to have a bar code disposed on it,and/or simply by causing a card number and perhaps security-relatedinformation to be visibly displayed it (e.g., using an LCD display orsome type of printing technique). The token 102 a may possibly beconfigured to hold such information for only a predetermined, finiteperiod of time, so that it is not useable after such time. It should beappreciated, of course, that the card need not be temporarily configuredin all embodiments, and may alternatively be configured in a morepermanent manner in some embodiments.

After the step 1102, the routine 1036 proceeds to a step 1104, whereinthe selected media is grayed out on the display 216 to indicate that themedia is currently in use by the Chameleon Card. When the selected mediais grayed out, the Pocket Vault's ability to configure another ChameleonCard with the grayed out media may also be disabled. Therefore, in suchan embodiment, even if the Pocket Vault holder had an additionalChameleon Card available, the Pocket Vault 102 would be incapable ofloading that media onto that Chameleon Card.

After the step 1104, the routine 1036 proceeds to a step 1106, whereinit is determined whether the selected media has stored value associatedwith it. The selected media may, for example, represent a pre-paidcalling card from which value is deducted each time the media is used ina particular transaction, or a frequent flier card to which value (e.g.,miles) is added in connection with each airline ticket purchased.

When, at the step 1106, it is determined that the selected media doeshave stored value associated with it, the routine 1036 proceeds to astep 1108, wherein a “stored value flag” (discussed below in connectionwith step 1126 of routine 1036 (FIG. 11) and step 1212 of routine 724(FIG. 12)) is set to TRUE.

After the step 1108, the routine 1036 proceeds to a step 1110, whereinit is determined whether the holder has set a default option so as topermit the holder to maintain expense records by recording transactionsinto registers assigned to expense categories.

When, at the step 1106, it is determined that the selected media doesnot have stored value associated with it, the routine 1036 proceedsimmediately to the step 1110.

When, at the step 1110, it is determined that the holder has not optedfor the ability to maintain expense records, the routine 1036terminates.

When, at the step 1110, it is determined that the holder has opted forthe ability to maintain expense records, the routine 1036 proceeds to astep 1112, wherein the holder is prompted to decide whether to recordthe currently-pending transaction.

After the step 1112, the routine 1036 proceeds to a step 1114, whereinit is determined whether the holder has opted to record the pendingtransaction.

When, at the step 1114, it is determined that the holder has not optedto record the transaction, the routine 1036 terminates.

When, at the step 1114, it is determined that the holder has opted torecord the transaction, the routine 1036 proceeds to a step 1116,wherein a menu including a number of options involving expensecategories are displayed to the holder on the display 216.

After the step 1116, the routine 1036 proceeds to a step 1118, whereinthe routine 1036 waits for the holder to select one of the displayedmenu options.

When, at the step 1118, it is determined that the holder has selected amenu item, the routine 1036 proceeds to a step 1120, wherein it isdetermined whether the holder selected the SKIP RECORD option, e.g.,when the holder has changed his or her mind and opted not to record aparticular transaction.

When, at the step 1120, it is determined that the holder has selectedthe SKIP RECORD option, the routine 1036 terminates.

When, at the step 1120, it is determined that holder has not selectedthe SKIP RECORD option, the routine 1036 proceeds to a step 1122,wherein it is determined whether any nested menu items exist for theselected menu item.

When, at the step 1122, it is determined that nested menu items do existfor the selected menu item, the routine 1036 proceeds to a step 1124,wherein the nested menu items are displayed to the holder on the display216.

After the step 1124, the routine 1036 returns to the step 1118(discussed above).

When, at the step 1122, it is determined that no nested menu items existfor the selected menu item, the routine 1036 proceeds to a step 1126,wherein it is determined whether the stored value flag was set to TRUEat the step 1108 (discussed above).

When, at the step 1126, it is determined that the stored value flag isset to TRUE, the routine 1036 proceeds to a step 1128, wherein a “recordstored value transaction” flag (discussed below in connection with step1216 of routine 724 (FIG. 12)) is set to TRUE.

After the step 1128, the routine 1036 terminates.

When, at the step 1126, it is determined that the “stored value” flag isnot TRUE, the routine 1036 proceeds to a step 1130, wherein the holderis prompted to enter a dollar amount to be recorded for the transaction.

After the step 1130, the routine 1036 proceeds to a step 1132, whereinthe routine 1036 waits for the holder to enter a transaction amount.After the holder has entered a transaction amount, the routine 1036proceeds to a step 1134, wherein a “transaction summary approval” menuis displayed to the holder on the display 216. In the example shown,this menu permits the holder to select (1) to APPROVE the recordation,(2) to change the expense CATEGORY for the transaction, or (3) to changethe AMOUNT to be recorded.

After the step 1134, the routine 1036 proceeds to a step 1136, whereinit is determined which of the menu items displayed in step 1134 theholder has selected.

When, at the step 1136, it is determined that the holder has selected tochange the transaction AMOUNT, the routine 1036 returns to the step 1130(discussed above).

When, at the step 1136, it is determined that the holder has opted tochange the expense CATEGORY, the routine 1036 returns to the step 1116(discussed above).

When, at the step 1132, it is determined that the holder has opted toAPPROVE the recordation, the routine 1036 proceeds to a step 1138,wherein the entered transaction amount is added to the expense registerfor the selected category, and the balances associated therewith areupdated accordingly.

After the step 1138, the routine 1036 terminates.

FIG. 12 is a flow diagram illustrating the VERIFY CARD RETURN routine ofFIG. 7 (step 724).

As shown, the routine 724 begins at a step 1202, wherein it isdetermined whether the Chameleon Card is currently on board the PocketVault 102 (i.e., whether the token 102 a is disposed within the tokenport 218).

When, at the step 1202, it is determined that the Chameleon Card is noton board the Pocket Vault 102, the routine 724 proceeds to a step 1204,wherein the holder is prompted to return the Chameleon Card to the tokenport 218 (see FIG. 260).

After the step 1204, the routine 724 proceeds to a step 1206, wherein itis determined whether a timeout period (e.g., ten seconds) has elapsedsince the user was last prompted to return the Chameleon Card to thetoken port 218.

When, at the step 1206, it is determined that the timeout period has notyet elapsed, the routine 724 returns to the step 1202 (discussed above).

When, at the step 1206, it is determined that the timeout period haselapsed, the routine 724 proceeds to a step 1208, wherein the user isagain prompted to return the Chameleon Card, this time with an audioindication (e.g., a “chime” sound generated by the indicator 215 of FIG.2).

After the step 1208, the routine 724 proceeds to a step 1210, wherein itis determined whether an extended timeout period (e.g., 10 minutes) haselapsed since the user was first prompted to return the Chameleon Cardto the token port 218.

When, at the step 1210, it is determined that the extended timeoutperiod has not yet elapsed, the routine 724 returns to the step 1202(discussed above).

When, at the step 1210, it is determined that the extended timeoutperiod has elapsed, the routine 724 terminates.

When, at the step 1202, it is determined that the Chameleon Card is onboard the Pocket Vault 102 (i.e., the token 102 a is disposed within thetoken port 218), the routine 724 proceeds to a step 1212, wherein it isdetermined whether the “stored value” flag was set to TRUE in step 1108of the routine 1036 (FIG. 11).

When, at the step 1212, it is determined that the “stored value” flag isnot TRUE, the routine 724 terminates.

When, at the step 1212, it is determined that the “stored value” flag isTRUE, the routine 724 proceeds to a step 1214, wherein the stored valuefor the selected media is updated based on the amount deducted from theChameleon Card during its use.

After the step 1214, the routine 724 proceeds to a step 1216, wherein itis determined whether the “record stored value transaction” flag was setto TRUE in the step 1128 of the routine 1036 (FIG. 11).

When, at the step 1216, it is determined that the “record stored valuetransaction” flag is FALSE, the routine 724 proceeds to a step 1222,wherein the “stored value” flag is set to FALSE.

When, at the step 1216, it is determined that the “record stored valuetransaction” flag is TRUE, the routine 724 proceeds to a step 1218,wherein the dollar amount of the transaction is added to the selectedexpense register (i.e., the expense register selected at the step 1118of the routine 1036 (FIG. 11)). The dollar amount entered is determinedbased on the dollar amount that was deducted from the stored value onthe Chameleon Card as a result of the transaction.

After the step 1218, the routine 724 proceeds to a step 1220, whereinthe “record stored value transaction” flag is set to FALSE.

After the step 1220, the routine 724 proceeds to the step 1222(discussed above)

After the step 1222, the routine 724 terminates.

In addition to a routine such as that discussed above in connection withFIGS. 7-12, certain software enhancements may also be disposed in thememory 210 of a Pocket Vault 102 for use with the controller 202. Onesuch software enhancement involves the use of “system preference file”software. This software may establish certain preferences that cannot bealtered on the Pocket Vault 102 by the holder, and which may be storedin encrypted form, along with certain information regarding value-basedmedia. For example, Pocket Vaults 102 may be sold with a choice of twoor three advertising profiles. During the Pocket Vault registration andvalidation process (described below), an encrypted system preferencefile may be created that indicates whether the device was, for example,subject to a “Premium,” “Plus” or “Base” profile status. This status mayhave been selected, for example, on the Pocket Vault 102 itself, orusing one of the interface stations 104 a-c when the Pocket Vault 102was interfaced therewith.

Under the “Premium” profile, the Pocket Vault 102 may beadvertising-free, but cost a significant amount. Under the “Plus”profile, the Pocket Vault 102 may display only advertising related toshops or services you currently patronize, but cost significantly lessthan the “Premium” version. Under the “Base” profile, the Pocket Vault102 may have a variety of advertising on a regular basis, subject onlyto network “saturation effectiveness” limitations, and the Pocket Vault102 may be free, or nearly so (e.g., a small purchase charge to generatein-store revenue for the retailer may be charged).

A holder's choice about participation in specific promotional campaignslinked to the holder's buying behavior may also be part of theregistration process and affect retail pricing. Once chosen, the networkserver 114 may send a message to the Pocket Vault 102, e.g., via thevalidation interface station 104 a, and direct the storage of necessaryencrypted information on the Pocket Vault 102 (e.g., “Buyer ProfileParticipant”).

The advertising and marketing choices may be changed at a date afterpurchase and result in a changed set of costs (either credits or debits)to the Pocket Vault holder. Other system preference data may include the“saturation effectiveness” limitations on the amount of advertising thatcan appear during any given single use window (a particular periodduring which the device is powered on), any given hour, any given dayand/or any given month. The limitations may control both the number ofadvertisements permitted and the amounts of advertisement timepermissible (e.g., seconds per advertisement), by category (e.g., suchlimitations may, for example, based on categories of advertisements beimposed general advertising, advertising from retailers that the PocketVault holder already patronizes and advisory notices from the networkserver 114. For example, these limits may be set to balance the need foradvertising revenue with the need to not overwhelm or annoy Pocket Vaultholders. This preference file may, for example, limit all advertising toone advertisement per “on-session,” two advertisements per hour, fouradvertisements per day and/or twenty advertisements per month. Generaladvertisements might get priority claim on this time up to a set limit(say 75% of all advertisement time), with targeted advertisements next,and advisory messages last.

Another software enhancement that may be employed is software used forpreference file management. Such “preference file management” softwaremay, for example, include a default file which is periodically updatedfrom the network server 114, and a Pocket Vault holder custom file.Using this software, the holder may, for example, be able to modify: (1)the initial on-screen backdrop and message greeting; (2) the menustructure and media order within menu screens; (3) some (but not all) ofthe bio-metric input requirement parameters; (4) the amount of on-timeafter the bio-metric data is confirmed (within pre-set limits); (5) theability to conceal all or part of the credit or debit accountinformation on the Chameleon Card display area; (6) the normalrestaurant tip percentage; (7) the links between certain media; and/oroversight preference restrictions.

For example, some of the menu tree structures for the Pocket Vault 102may be set by the holder. This may include the sequence in which certainscreens appear (e.g., debit screens before credit screens), among creditscreens (e.g., Visa before MasterCard) and media order-of-appearancewithin a screen (e.g., FirstCard Visa before ChaseVisa).

Generally, a retailer does not need to see a credit or debit accountnumber, while the approving entity contacted on the dialup modem does.Today, credit and debit cards have this information embossed on the cardand recorded in the magnetic stripe on the back of the card. If themagnetically encoded information is unreadable due to mechanical wear ofthe magnetic stripe or for other reasons, the embossed image can alwaysbe read by the clerk and manually keyed in. There is no way for thisembossing to disappear when it is not needed and appear at just theright time, either with a standard card or a Smartcard. As a result,such numbers are generally in view and this visibility may lead tofraud. In one embodiment, the Pocket Vault 102 may be programmed toconceal this number, unless prompted to the contrary by the holder. Aretailer may confirm the kind of credit or debit being presented and thefull name on the card, without having to see or be told the accountnumber. On the rare occasion when the number itself is needed, theholder may, for example, repeat the bio-metric input to the Pocket Vault102 to reveal the card account number. If placed in the personalinterface station 104 c, such account numbers may be automaticallyrevealed (e.g., through detection of an encrypted cookie on theinterface station computer 304 of the personal interface station 104 c).

If the holder establishes a preferred tip percentage, this preferred tipamount may be automatically applied to restaurant checks. This mayeliminate a step in restaurant check close-out and reduce the hassle ofcalculating an appropriate tip and eliminate the need for waitstaff toreturn to pick up the credit receipt with the tip.

The holder may also choose to link certain media on the Pocket Vault 102to reduce selection tasks at the point-of-transaction. For example, theholder may link certain credit or debit cards to certain frequent buyerID cards, thereby enabling the holder to pick a grocery store frequentbuyer card (which would be linked to a debit card and brought upautomatically after the grocery store card).

At the point of registration or issuance, a Pocket Vault holder may beasked if there is to be any transaction oversight security. If theanswer is yes, a second bio-metric input may be required from theindividual endowed with that oversight role. For example, a parent maychoose to get a Pocket Vault 102 for a child or other relative who maylack certain fiscal discipline. At issuance, and prior to any credit ordebit media being added to the Pocket Vault 102, the oversight authoritymay need to be established. The person having such oversight authoritymay then have sole access to a profile of transaction preference data.The person having the oversight authority may therefore create andmodify this profile any time after issuance. This data set may limit oneor more of the following: (1) debit and credit transaction dollar volumeper day, per week and/or per month; (2) certain purchase restrictionssuch as the types of retailers to whom payments are permitted, such asexclusion of gambling establishments or liquor stores; and (3)geographic restrictions such as payments within 10 miles of a son's ordaughter's college campus, but not beyond).

Another software enhancement that may be employed is software formanaging media image libraries. Every media image sent to the display216 may actually be a composite of from two to five layers of graphicsfiles. Layers one, two and four may, for example, be stored in medialibrary files while layers three and five may include text and datafiles stored in memory on the Pocket Vault 102. For example, a creditcard image may comprise separate layers for: (1) the standard creditcard background and icon; (2) the issuing bank's overlay icons and text;(3) the individual's account number; and (4) customized advertising fromthe issuing bank and/or credit card company.

Layering the image in this fashion may minimize data transmissionrequirements, reduce memory storage requirements, and speed up screendisplay. For example, Pocket Vaults 102 may be preloaded at point ofmanufacture with background images of the top ten credit images, threepassport images (e.g., EU, US, Japan), and a handful of otherglobally-relevant backgrounds. When, for example, a Pocket Vault holderliving in Boston initially registers a device, it may triggerdownloading of the top five additional background images prevalent inthat area. When the individual applies for and is electronically issueda new credit card over the network system 100, the download from thenetwork server 114 may include a second layer credit card companyoverlay for the credit card, along with the third layer of account andname information, and the fourth layer of the most recent customizedadvertisement from the credit card company related to a seasonalpromotion of card usage.

The advertisement layer may be temporary in nature. This layer may, forexample, remain on-screen for a given number of seconds, predeterminedby the time period of the advertisement paid for by the advertiser.Underneath such an advertisement, a fifth layer of Pocket Vaultholder-determined data may appear, also for a temporary period, in thiscase for privacy reasons and for a period set by the holder. Thispositioning of the holder's data below the advertising data increase thevalue of the advertisement time, since holders will be likely to viewthe display 216 awaiting the appearance of their data, which may alsoremain on-screen for only a set number of second. For example, suchholder-specific data may include the last date of the next billingperiod, or the total charges since the last billing period on thisparticular card or on all of the holder's credit cards. Such balanceinformation may be generated, for example, by the financial managementsoftware. The initial on-screen image may also be layered, for example,with a market-tailored backdrop and a sign-on message, both of whichpossibly being modifiable could be modified by the appropriate settingof user preferences.

Another software enhancement that may be employed is software to managememos. Certain screen choices may, for example, result in the viewing ofmemos created by and for the Pocket Vault holder. These memos may bewritten on a home PC and transferred to a Pocket Vault 102 when thePocket Vault 102 is interfaced with the personal interface station 104 cfor an update/download session. Alternatively, such memos may be createdon the Pocket Vault 102 using a screen-based keyboard function similarto that of a Palm Pilot. The memo template software may provide certainstandard backgrounds and layouts to support this feature. This featuremay help to eliminate the need for scraps of various notes now found inmost wallets.

Yet another software enhancement that may be employed is software tomanage advertising messages. Such advertising message managementsoftware may, for example, perform several noteworthy functions: (1)limiting the appearance of advertising in accordance with theadvertising profile (e.g., stored in the network server 114) of theparticular Pocket Vault holder; (2) limiting the appearance ofadvertising to a certain number of times per on-session, per hour, perday, per week and/or per month; (3) tracking the number of times eachadvertisement appears since the last download/update session (since thenumber of on-sessions during any period will govern the number ofopportunities certain advertisements have to run, this tracking may benecessary to enable billing of advertisers for actual advertisementexposure levels; (4) generating reminder advertisements for frequentbuyer cards (e.g., a message such as “Ten weeks since your last carwash! One more and the next is free!”); and (5) tracking theeffectiveness of advertising through linkage to the transaction files(e.g., the ability to build more accurate, comprehensive buying profilessince all of an individual's media are now “under one roof”).

Another software enhancement that may be employed is software to processtransaction data. Such transaction processing software may, for example,include the ability to track total outstanding transactions onparticular media and compare those to media limits at the time of thenext transaction, along with date validity of the media. If a particularpiece of media is no longer valid, selection of this item from a menumay produce a message such as “expired,” or “requires update to extendperiod of validity,” or “payment of balance required before re-use.”

Another software enhancement that may be employed is software to managefrequent buyer data. Such frequent buyer data management software may,for example, track purchases at stores with frequent buying programsthat participate in the network system 100. This software may alsoindicate any frequent buyer credits that are about to expire or createadvertisements that remind their Pocket Vault holders that they areabout to qualify for a free item. For example, a tenth gasoline purchaseat a service station/car wash may generate a message indicating that theholder is “now entitled to free car wash.”

Yet another software enhancement that may be employed is software formanaging financial information. This type of software may, for example,enable easy download advertisements into personal finance software usedby some PC owners. It may also support certain on-board functionality inthe Pocket Vault, such as charge card management, automatically shiftingfrom the preferred credit card to another credit card, for example: (1)when a transaction would cause a credit limit to be exceeded, (2) whenusing a different card would lengthen the time after which actualpayment would be due, (3) when using another card would garner desiredcontest eligibility, or maximize cash back points for a particularperiod, and/or (4) when use of another card would preclude having to payannual dues.

Another software enhancement that may be employed is Global PositioningSoftware. Integration of this functionality with memo information andfrequent buyer information may induce visits to nearby stores atconvenient times to take advantage of sales, frequent buyer credits,etc.

FIG. 13 is a flow diagram illustrating an example implementation of aprimary routine 1300 that may be executed by the controller 306 of thepocket vault interface unit 302 (FIG. 3).

As shown, the routine 1300 begins at a step 1346, wherein it isdetermined whether a card has been swiped through the stripe reader 315of the interface unit 302.

When, at the step 1346, it is determined that a card has been swiped,the routine 1300 proceeds to a step 1348, wherein information from theswiped card read by the stripe reader 315 is transmitted to theinterface station computer 304.

After the step 1348, the routine 1300 proceeds to a step 1302, whereinit is determined whether a first encrypted message has been receivedfrom the Pocket Vault 102 including an ID code that is released from thePocket Vault 102 only upon proper user authentication (e.g., in responseto a fingerprint match).

When, at the step 1346, it is determined that a card has not beenswiped, the routine 1300 proceeds directly to the step 1302 (discussedabove).

When, at the step 1302, it is determined that such a first encryptedmessage has not been received from the Pocket Vault 102, the routine1300 proceeds to a step 1338, wherein it is determined whether anyencrypted information and/or commands have been received from theinterface station computer 304.

When, at the step 1338, it is determined that information and/orcommands have been received from the interface station computer 304, theroutine 1300 proceeds to a step 1340, wherein the received informationand/or commands are forwarded to the Pocket Vault 102.

After the step 1340, the routine 1330 proceeds to a step 1342, whereinit is determined whether any information and/or commands have beenreceived from the Pocket Vault 102.

When, at the step 1338, it is determined that no information or commandshave been received from the interface station computer 304, the routine1300 proceeds directly to the step 1342 (discussed above).

When, at the step 1342, it is determined that information and/orcommands have been received from the Pocket Vault 102, the routine 1300proceeds to a step 1344, wherein the received information and/orcommands are forwarded to the interface station computer 304.

After the step 1344, the routine 1300 returns to the step 1346(discussed above).

When, at the step 1342, it is determined that no information and/orcommands have been received from the Pocket Vault 102, the routine 1300proceeds directly to the step 1346.

When, at the step 1302, it is determined that a first encrypted messageincluding a Pocket Vault ID has been received from the Pocket Vault 102,the routine 1300 proceeds to a step 1304, wherein the first encryptedmessage is forwarded to the interface station computer 304 (FIG. 3).

After the step 1304, the routine 1300 proceeds to steps 1306 and 1308,wherein it is determined whether a fingerprint has been scanned by thefingerprint scanner 316 of the pocket vault interface unit 302 before atimeout period measured by the step 1308 has elapsed.

When, at the steps 1306 and 1308, it is determined that a fingerprinthas not been scanned within the timeout period of step 1308, the routine1300 returns to the step 1346 (discussed above).

When, at the steps 1306 and 1308, it is determined that a fingerprinthas been scanned by the fingerprint scanner 316 in a timely manner, theroutine 1300 proceeds to a step 1310, wherein it is determined whetherthe scanned fingerprint matches a fingerprint stored in the memory 314of the pocket vault interface unit 302.

When, at the step 1310, it is determined that the scanned fingerprintdoes match that of an authorized operator of the interface unit 302, theroutine 1300 proceeds to a step 1312, wherein a second encryptedmessage, including an ID of the pocket vault interface unit 302 that isreleased only after a successful fingerprint match, is transmitted tothe interface station computer 304.

After the step 1312, the routine 1300 returns to the step 1346(discussed above).

When, at the step 1310, it is determined that the scanned fingerprintdoes not match any fingerprint stored in the memory 314 of the pocketvault interface unit 302, the routine 1300 proceeds to a step 1314,wherein a message is transmitted to the interface station computer 304indicating there has been an unsuccessful attempt to authenticate anoperator of the pocket vault interface unit 302.

After the step 1314, the routine 1300 proceeds to steps 1316 and 1318,wherein it is determined whether, before the expiration of a timeoutperiod measured by the step 1318, a request has been received from theinterface station computer 304 to add a new operator to the pocket vaultinterface unit 302.

When, at the steps 1316 and 1318, it is determined that such a requesthas not been received from the interface station computer 304 in atimely manner, the routine 1300 returns to the step 1302 (discussedabove).

When, at the steps 1316 and 1318, it is determined that a request to adda new operator to the pocket vault interface unit 302 has been receivedfrom the interface station computer 304 in a timely manner, the routine1300 proceeds to steps 1320 and 1322.

At the steps 1320 and 1322, it is determined whether three identicalfingerprints have been stored in the interface unit 302 for each of theoperator's two hands before the expiration of a timeout period measuredby the step 1322. The operator may be prompted, e.g., on the display 324of the interface station computer 304, to take appropriate steps toensure his or her fingerprints are properly scanned. An example routinefor obtaining the requisite fingerprint data from a user is discussedabove in connection with steps 804 a-810 a and 804 b-810 b (for thePocket Vault 102), and therefore will not be repeated here.

When, at the steps 1320 and 1322, it is determined that the requisitefingerprint information has not been stored in a timely manner, theroutine 1300 proceeds to a step 1336, wherein an indication (e.g., amessage or an audio tone) regarding the unsuccessful new operatorvalidation attempt is generated.

After the step 1336, the routine 1300 returns to the step 1346(discussed above).

When, at the steps 1320 and 1322, it is determined that the fingerprintinformation has been successfully stored in the interface unit 302 in atimely manner, the routine 1300 proceeds to a step 1324, wherein anencrypted message including an ID unique to the interface unit 302 istransmitted to the interface station computer 304 for ultimateregistration with the network server 114.

After the step 1324, the routine 1300 proceeds to step 1326 and 1328,wherein is determined whether a message including validation information(e.g., a PKI certificate for the interface unit 302) has been receivedfrom the network server 114 (via the interface station computer 304)before the expiration of a timeout period.

When, at the steps 1326 and 1328, the validation information is notreceived by the interface unit 302 in a timely manner, the routine 1300proceeds to the step 1336 (discussed above).

When, at the steps 1326 and 1328, it is determined that the validationinformation is received by the interface unit 302 in a timely manner,the routine 1300 proceeds to a step 1330, wherein the validationinformation is stored for the new operator.

After the step 1330, the routine 1300 proceeds to a step 1332, whereinan indication (e.g., a message or an audio tone) regarding thesuccessful validation of the new operator is generated.

After the step 1332, the routine 1300 returns to the step 1346(discussed above).

FIG. 14 is a flow diagram illustrating example implementation of aprimary routine 1400 that may be executed by the controller 308 of theinterface station computer 304 of FIG. 3.

As shown, the routine 1400 begins at a step 1402, wherein a menu isdisplayed on the display 324 of the interface station computer 304 thatgives the operator of the interface station computer 304 several optionsto choose from. These options may, for example, include: (1) the optionto request that a Pocket Vault 102 be validated (i.e., permitted tostore a new finger print), (2) the option to request that theinformation currently stored on a Pocket Vault 102 be updated (e.g.,information may be uploaded from the network server 114), (3) the optionto request that a transaction involving a Pocket Vault 102 beauthorized, and/or (4) the option to access a website on the networkserver 114 and take advantage of the functionality thereof.

It should be appreciated that the foregoing are only examples of menuoptions that may be provided to the operator of the interface stationcomputer 304, and that the invention is not limited to the particularexamples described. It should also be appreciated that fewer than all ofthe options shown may be provided in connection with different types ofinterface stations. For example, a validation interface station 104 amay be provided only with option (1), a personal interface station maybe provided only with option (2), and a commercial interface station maybe provided only with option (3). In many instances, option (4) may bethe only option required or desired to be employed by the user, as thewebsite may itself provide all of the functionality of the other options(1)-(3). If fact, in such circumstances, the user need not be providedwith a menu at all, as the user could simply log on the website using abrowser. An embodiment of a network system in which a website may beaccessed by a server in this manner is discussed below in connectionwith FIGS. 28-39.

After displaying the menu at the step 1402, the routine 1400 proceeds toa step 1404, wherein it is determined whether any requests to validatePocket Vaults 102 have been received.

When, at the step 1404, it is determined that no request to validate aPocket Vault 102 has been received, the routine 1400 proceeds to a step1408, wherein it is determined whether any requests to updateinformation on Pocket Vaults 102 have been received.

When, at the step 1408, it is determined that no request to update theinformation on a Pocket Vault 102 has been received, the routine 1400proceeds to a step 1412, wherein it is determined whether any requeststo authorize transactions involving Pocket Vaults 102 have beenreceived.

When, at the step 1412, it is determined that no request to authorize atransaction involving a Pocket Vault 102 has been received, the routine1400 proceeds to a step 1416, wherein it is determined whether theinterface station computer has received any messages from Pocket Vaultinterface units 302 indicating that an unsuccessful operatorauthentication has occurred (i.e., the fingerprint of an operatorscanned by the fingerprint scanner 316 has failed to match a fingerprintstored in the memory 314).

When, at the step 1416, it is determined that no such messages have beenreceived, the routine 1400 proceeds to a step 1420, wherein it isdetermined whether a request to access a website on the network server114 has been received.

When at the step 1420, it is determined that no request to access thewebsite on the network server 114 has been received, the routine 1400returns to the step 1402, wherein the menu of the various options forthe operator is again displayed. Thus, the menu 1402 is displayed untilone of the various options is selected in accordance with any of thesteps 1404, 1408, 1412, 1416, or 1420.

When, at the step 1404, it is determined that a request to validate aPocket Vault 102 has been received, the routine 1400 proceeds to a step1406, wherein the PROCESS REQUEST TO VALIDATE POCKET VAULT routine(discussed below in connection with FIG. 15) is executed.

After the step 1406, the routine 1400 proceeds to the step 1408(discussed above).

When, at the step 1408, it is determined that a request to update theinformation on a Pocket Vault 102 has been received, the routine 1410proceeds to a step 1410, wherein the PROCESS REQUEST TO UPDATE INFO ONPOCKET VAULT routine (discussed below in connection with FIG. 16) isexecuted.

After the step 1410, the routine 1400 proceeds to the step 1412(discussed above).

When, at the step 1412, it is determined that a request to authorize atransaction involving a Pocket Vault 102 has been received, the routine1400 proceeds to a step 1414, wherein the PROCESS REQUEST TO AUTHORIZETRANSACTION routine (discussed below in connection with FIG. 17) isexecuted.

After the routine 1414, the routine 1400 proceeds to the step 1416(discussed above).

When, at the step 1416, it is determined that a message has beenreceived from an the interface station computer 304 indicating that anattempted fingerprint match of an operator has failed, the routine 1400proceeds to a step 1418, wherein the PROCESS UNSUCCESSFUL OPERATORAUTHENTICATION routine (discussed below in connection with FIG. 18) isexecuted.

After the routine 1418, the routine 1400 proceeds to the step 1420(discussed above).

When, at the step 1420, it is determined that a request to access awebsite on the network server 114 has been received, the routine 1400proceeds to a step 1422, wherein the PROCESS REQUEST TO ACCESS WEBSITEroutine (discussed below in connection with FIGS. 30-39) is executed.

After the step 1422, the routine 1400 returns to the step 1402(discussed above).

FIG. 15 is a flow diagram illustrating an example implementation of thePROCESS REQUEST TO VALIDATE POCKET VAULT routine of FIG. 14 (step 1406).

As shown, the routine 1406 begins at a step 1502, wherein the potentialnew Pocket Vault holder is prompted to apply his or her fingerprint tothe fingerprint scanner 220 of the Pocket Vault 102, and to interfacethe Pocket Vault 102 with the pocket vault interface unit 302. This maybe accomplished, for example, by interfacing the docking interface 208of the Pocket Vault 102 with the docking interface 312 of the pocketvault interface unit 302.

After the step 1502, the routine 1406 proceeds to steps 1504 and 1506,wherein it is determined whether an encrypted message including the IDof the Pocket Vault 102 has been received from the pocket vaultinterface unit 302 prior to the expiration of a timeout period measuredby the step 1506.

When, at the steps 1504 and 1506, it is determined that an encryptedmessage including the ID of the Pocket Vault 102 has not been receivedfrom the pocket vault interface unit 302 in a timely manner, the routine1406 proceeds to a step 1526, wherein a message is displayed on thedisplay 324 of the interface station computer 304 indicating that anerror has occurred in the Pocket Vault validation process.

When, at the steps 1504 and 1506, it is determined that an encryptedmessage including the ID of the Pocket Vault 102 has been received fromthe pocket vault interface unit 302 in a timely manner, the routine 1406proceeds to a step 1506, wherein the interface station operator isprompted to apply his or her fingerprint to the fingerprint scanner 316of the pocket vault interface unit 302.

After the step 1506, the routine 1406 proceeds to steps 1508 and 1510,wherein it is determined whether an encrypted message including the IDof the pocket vault interface unit 302 has been received from the pocketvault interface unit 302 prior to the expiration of a timeout periodmeasured by the step 1510.

When, at the steps 1508 and 1510, it is determined that an encryptedmessage including the ID of the pocket vault interface unit 302 has notbeen received from the pocket vault interface unit 302 in a timelymanner, the routine 1406 proceeds to the step 1526, wherein a message isdisplayed on the display 324 of the interface station computer 304indicating that the attempt to authorize the interface station operatorwas unsuccessful.

After the step 1526, the routine 1406 terminates.

When, at the steps 1508 and 1510, it is determined that an encryptedmessage including the ID of the pocket vault interface unit 302 has beenreceived from the pocket vault interface unit 302 in a timely manner,the routine 1406 proceeds to a step 1512, wherein the interface stationoperator is prompted to input information regarding the new Pocket Vaultholder into the interface station computer 304.

After the step 1512, the routine 1406 proceeds to a step 1514, whereatthe routine 1406 waits until all of the requisite information regardingthe new Pocket Vault holder has been entered properly (e.g., via theuser input device 318 of the interface station computer 304).

After the step 1514, the routine 1406 proceeds to a step 1516, whereinthe network server 114 (FIG. 1) is contacted.

After the step 1516, the routine 1406 proceeds to a step 1518, whereinthe information regarding the new Pocket Vault holder is transmitted tothe network server 114, along with a request that the new Pocket Vaultholder be validated.

After the step 1518, the routine 1406 proceeds to steps 1520 and 1522,wherein it is determined whether the network server 114 has acknowledgedthe request by the interface station computer 304 prior to theexpiration of a timeout period measured by the step 1522.

When, at the steps 1520 and 1522, it is determined that the networkserver 114 has not acknowledged the request by the interface stationcomputer 304 in a timely manner, the routine 1406 proceeds to a step1524, wherein a message is displayed on the display 324 indicating thata transmission failure has occurred.

When, at the steps 1520 and 1522, it is determined that the networkserver 114 has acknowledged the request by the interface stationcomputer 304 in a timely manner, the routine 1406 proceeds to a step1528, wherein, in an encrypted format, the information regarding the newPocket Vault holder is transmitted to the network server 114, along withthe interface station operator ID, the interface unit ID, and the PocketVault ID.

After the step 1528, the routine 1406 proceeds to steps 1530 and 1532,wherein it is determined whether encrypted validation information (e.g.,a PKI certificate) has been received from the network server 114 priorto the expiration of a timeout period measured by the step 1532, andprior to receiving a message from the network server 114 indicating thatthe request to validate the new Pocket Vault holder has been denied.

When, at the steps 1530 and 1532, it is determined that encryptedvalidation information has not been received from the network server 114in a timely manner, or it is determined that a message has been receivedindicating that the request to validate the new Pocket Vault holder hasbeen denied, the routine 1406 proceeds to a step 1538, wherein a messageis displayed on the display 324 indicating that the attempt to validatethe Pocket Vault 102 was unsuccessful.

When, at the steps 1530 and 1532, it is determined that encryptedvalidation information has been received from the network server 114 ina timely manner, the routine 1406 proceeds to a step 1534, wherein theencrypted validation information (e.g., a PKI certificate) from thenetwork server 114 is forwarded to the pocket vault interface unit 302for forwarding on to the Pocket Vault 102.

After the step 1534, the routine 1406 proceeds to a step 1536, wherein amessage is displayed on the display 324 indicating that the attempt tovalidate the Pocket Vault 102 was successful. In addition to thismessage, when the pocket vault interface unit 302 forwards this messageon to the Pocket Vault 102, the Pocket Vault 102 itself may provide, forexample, an audio indication such as a chime, indicating that the PocketVault 102 has been successfully validated.

FIG. 16 is a flow diagram illustrating an example implementation of thePROCESS REQUEST TO UPDATE INFO ON POCKET VAULT routine of FIG. 14 (step1410).

As shown, the routine 1410 begins at a step 1602, wherein the PocketVault holder is prompted to apply his or her fingerprint to thefingerprint scanner 220 of the Pocket Vault 102, and to interface thePocket Vault 102 with the pocket vault interface unit 302.

After the step 1602, the routine 1410 proceeds to steps 1604 and 1606,wherein it is determined whether an encrypted message including the IDof the Pocket Vault 102 has been received from the pocket vaultinterface unit 302 prior to the expiration of a timeout period measuredby the step 1606.

When, at the steps 1604 and 1606, it is determined that an encryptedmessage including the ID of the Pocket Vault 102 has not been receivedfrom the pocket vault interface unit 302 in a timely manner, the routine1410 proceeds to a step 1634, wherein a message is displayed on thedisplay 324 of the interface station computer 304 indicating that theattempt to authorize the Pocket Vault holder was unsuccessful.

When, at the steps 1604 and 1606, it is determined that an encryptedmessage including the ID of the Pocket Vault 102 has been received fromthe pocket vault interface unit 302 in a timely manner, the routine 1410proceeds to a step 1607, wherein the interface station operator isprompted to apply his or her fingerprint to the fingerprint scanner 316of the pocket vault interface unit 302.

After the step 1607, the routine 1410 proceeds to steps 1608 and 1610,wherein it is determined whether an encrypted message including the IDof the pocket vault interface unit 302 has been received from the pocketvault interface unit 302 prior to the expiration of a timeout periodmeasured by the step 1610.

When, at the steps 1608 and 1610, it is determined that an encryptedmessage including the ID of the pocket vault interface unit 302 has notbeen received from the pocket vault interface unit 302 in a timelymanner, the routine 1410 proceeds to the step 1634, wherein a message isdisplayed on the display 324 of the interface station computer 304indicating that the attempt to authorize the interface station operatorwas unsuccessful.

After the step 1634, the routine 1410 terminates.

When, at the steps 1608 and 1610, it is determined that an encryptedmessage including the ID of the pocket vault interface unit 302 has beenreceived from the pocket vault interface unit 302 in a timely manner,the routine 1410 proceeds to a step 1612, wherein the network server 114is contacted.

After the step 1612, the routine 1410 proceeds to a step 1614, wherein arequest to update the information on the Pocket Vault 102 is transmittedto the network server 114.

After the step 1614, the routine 1410 proceeds to steps 1616 and 1618,wherein it is determined whether the network server 114 has acknowledgedthe request by the interface station computer 304 prior to theexpiration of a timeout period measured by the step 1618.

When, at the steps 1616 and 1618, it is determined that the networkserver 114 has not acknowledged the request by the interface stationcomputer 304 in a timely manner, the routine 1410 proceeds to a step1620, wherein a message is displayed on the display 324 indicating thata transmission failure has occurred.

When, at the steps 1616 and 1618, it is determined that the networkserver 114 has acknowledged the request by the interface stationcomputer 304 in a timely manner, the routine 1410 proceeds to a step1622, wherein, in an encrypted manner, the interface station operatorID, the interface unit ID, and the Pocket Vault ID are transmitted tothe network server 114.

After the step 1622, the routine 1410 proceeds to steps 1624 and 1626,wherein it is determined whether encrypted updates have been receivedfrom the network server 114 for loading onto the Pocket Vault 102 priorto the expiration of a timeout period measured by the step 1620, andprior to the network server 114 denying the requested attempt to uploadinformation.

When, at the steps 1624 and 1626, it is determined that the encryptedupdates have been received in a timely manner, the routine 1410 proceedto a step 1630, wherein the received updates are transmitted to thepocket vault interface unit 302 so that they may be subsequentlyforwarded to the Pocket Vault 102 for uploading thereto.

After the step 1630, the routine 1410 proceeds to a step 1632, wherein amessage is displayed to the holder indicating that the requested updateshave been successfully uploaded to the Pocket Vault 102.

After the step 1632, the routine 1410 terminates.

When, at the steps 1624 and 1626, it is determined that the encryptedupdates have not been received from the network server 114 in a timelymanner, or that the network server 114 has denied the request to uploadinformation onto the Pocket Vault 102, the routine 1410 proceeds to astep 1628, wherein a message is displayed on the display 324 indicatingthat the attempt to update the information on the Pocket Vault 102 wasunsuccessful.

After the step 1628, the routine 1410 terminates.

FIG. 17 is a flow diagram illustrating an example implementation of thePROCESS REQUEST TO AUTHORIZE TRANSACTION routine of FIG. 14 (step 1414).

As shown, the routine 1414 begins at a step 1702, wherein the operatorof the interface station computer 304 is prompted to input informationregarding the proposed transaction involving the Pocket Vault 102.

After the step 1702, the routine 1414 waits at a step 1704 until all ofthe information regarding the requested transaction has been entered.

After, at the step 1704, it is determined that all of informationregarding the requested transaction has been entered, the routine 1414proceeds to a step 1706, wherein the Pocket Vault holder is prompted toapply his or her fingerprint to the fingerprint scanner 220 of thePocket Vault 102, and to interface the Pocket Vault with the pocketvault interface unit 302.

After the step 1706, the routine 1414 proceeds to steps 1708 and 1710,wherein it is determined whether an encrypted message including the IDof the Pocket Vault 102 has been received from the pocket vaultinterface unit 302 prior to the expiration of a timeout period measuredby the step 1710.

When, at the steps 1708 and 1710, it is determined that an encryptedmessage including the ID of the Pocket Vault 102 has not been receivedfrom the pocket vault interface unit 302 in a timely manner, the routine1414 proceeds to a step 1726, wherein a message is displayed on thedisplay 324 of the interface station computer 304 indicating that theattempt to authorize the Pocket Vault holder was unsuccessful.

When, at the steps 1708 and 1710, it is determined that an encryptedmessage including the ID of the Pocket Vault 102 has been received fromthe pocket vault interface unit 302 in a timely manner, the routine 1414proceeds to a step 1712, wherein the interface station operator isprompted to apply his or her fingerprint to the fingerprint scanner 316of the pocket vault interface unit 302.

After the step 1712, the routine 1414 proceeds to steps 1714 and 1715,wherein it is determined whether an encrypted message including the IDof the pocket vault interface unit 302 has been received from the pocketvault interface unit 302 prior to the expiration of a timeout periodmeasured by the step 1715.

When, at the steps 1714 and 1715, it is determined that an encryptedmessage including the ID of the pocket vault interface unit 302 has notbeen received from the pocket vault interface unit 302 in a timelymanner, the routine 1414 proceeds to the step 1726, wherein a message isdisplayed on the display 324 of the interface station computer 304indicating that the attempt to authorize the interface station operatorwas unsuccessful.

After the step 1726, the routine 1414 terminates.

When, at the steps 1714 and 1715, it is determined that an encryptedmessage including the ID of the pocket vault interface unit 302 has beenreceived from the pocket vault interface unit 302 in a timely manner,the routine 1414 proceeds to a step 1716, wherein the network server 114is contacted.

After the step 1716, the routine 1414 proceeds to a step 1718, whereinthe request regarding the proposed transaction involving the PocketVault 102 is transmitted to the network server 114.

After the step 1718, the routine 1414 proceeds to step 1720 and 1722,wherein it is determined whether the transaction request has beenacknowledged by the network server 114 before the expiration of atimeout period measured by the step 1722.

When, at the steps 1720 and 1722, it is determined that the request hasnot been acknowledged in a timely manner, the routine 1414 proceeds to astep 1724, wherein a message is displayed on the display 324 indicatingthat a transmission failure has occurred.

After the steps 1724, the routine 1414 terminates.

When, at the steps 1722 and 1724, it is determined that the request hasbeen acknowledged in a timely manner, the routine 1414 proceeds to astep 1728, wherein encrypted information about the requested transactionis transmitted to the network server 114, along with the interfacestation operator ID, the interface unit ID, and the Pocket Vault ID.

After the step 1728, the routine 1414 proceeds to steps 1730 and 1732,wherein it is determined whether an encrypted transaction approvalmessage has been received from the network server 114 prior to theexpiration of a timeout period measured by the step 1732.

When, at the steps 1730 and 1732, it is determined that an encryptedtransaction approval message has not been received in a timely manner,or that approval for the requested transaction has been denied by thenetwork server 114, the routine 1414 proceeds to a step 1736, wherein amessage is displayed on the display 324 indicating that the attempt toauthorize the requested transaction has failed.

When, at the steps 1730 and 1732, it is determined that an encryptedtransaction approval message has been received in a timely manner, theroutine 1414 proceeds to a step 1734, wherein a message is forwarded tothe pocket vault interface unit 302 indicating that the requestedtransaction has been approved. This message may also be used to updateinformation on the Pocket Vault 102, and/or to cause the Pocket Vault102 to generate an indication (e.g., an audio tone) that the transactionhas been approved.

After the step 1734, the routine proceeds to a step 1738, wherein amessage is displayed on the display 324 indicating that the requestedtransaction has been approved.

After the step 1738, the routine 1414 terminates.

FIG. 18 is a flow diagram illustrating an example implementation of thePROCESS UNSUCCESSFUL OPERATOR AUTHENTICATION routine of FIG. 14 (step1418).

As shown, the routine 1418 begins at a step 1802, wherein the operatorof the interface station computer 304 is informed that the attempted usethe pocket vault interface unit 302 (when the operator applied his orher finger print to the fingerprint scanner 316) was not authorized.

After the step 1802, the routine 1418 proceeds to a step 1804, whereinthe operator is prompted to either: (1) add a NEW OPERATOR to theinterface unit 302, or (2) ABORT the attempt to use the interface unit302.

When, at the step 1806, it is determined that the operator has chosen toABORT the attempt to use the interface unit 302, the routine 1418terminates.

When, at the step 1806, it is determined that the operator has chosen toadd a NEW OPERATOR, the routine 1418 proceeds to a step 1808, wherein amessage is transmitted to the pocket vault interface unit 302 indicatingthe operator's desire to add a new operator to the pocket vaultinterface unit 302.

After the step 1808, the routine 1418 proceeds to a step 1810, whereinthe operator is prompted to input information regarding the proposed newoperator into the interface station computer 304 (e.g., using the userinput device 318), and is provided with instructions as to theapplication of three identical fingerprints from each of his or her twohands to the fingerprint scanner 316 of the interface unit 302.

After the step 1810, the routine 1418 proceeds to a step 1812 whereinthe routine 1418 waits until all of the requisite information regardingthe proposed new interface station operator has been entered properly.

When, at the step 1812, it is determined that all of the requisiteinformation regarding the proposed new operator has been enteredproperly, the routine 1418 proceeds to a step 1814, wherein the networkserver 114 is contacted.

After the step 1814, the routine 1418 proceeds to a step 1816, whereinthe request to add the new operator to the pocket vault interface unit302 is transmitted to the network server 1 14.

After the step 1816, the routine 1418 proceeds to steps 1818 and 1820,wherein it is determined whether the request by the interface stationcomputer has been acknowledged by the network server 114 prior to theexpiration of a timeout period measured by the step 1820.

When, at the steps 1818 and 1820, it is determined that the request hasnot been acknowledged in a timely manner, the routine 1418 proceeds tothe step 1822, wherein a

transmission failure message is displayed.

After the step 1822, routine 1418 terminates.

When, at the steps 1818 and 1820, it is determined that the request hasbeen acknowledged in a timely manner, the routine 1418 proceeds to thestep 1824, wherein a message, including the information regarding theproposed new operator and the interface unit ID, is transmitted to thenetwork server 114 in an encrypted manner.

After the step 1824, the routine 1418 proceeds to steps 1826 and 1828,wherein it is determined whether encrypted validation information (e.g.,a PKI certificate) has been received from the network server 114 priorto the expiration of a timeout period measured by the step 1828, andprior to the network server 114 denying the addition of the newinterface station operator.

When, at the steps 1826 and 1828, it is determined that encryptedvalidation information has been received from the network server 114 ina timely manner, the routine 1418 proceeds to a step 1830, wherein theencrypted validation information (e.g., a PKI certificate) is forwardedfrom the interface station computer 304 to the pocket vault interfaceunit 302.

After the step 1830, the routine 1418 proceeds to a step 1834, wherein amessage is generated indicating that the attempt to add the new operatorto the pocket vault interface unit 302 was successful.

After the step 1834, the routine 1418 terminates.

When, at the steps 1826 and 1828, it is determined that encryptedvalidation information has not been received from the network server 114in a timely manner, the routine 1418 proceeds to a step 1832, wherein amessage is generated indicating that the attempt to add the new operatorto the pocket vault interface unit 302 was unsuccessful.

After the step 1832, routine 1418 terminates.

FIG. 19 is a flow diagram illustrating an example implementation of aprimary routine 1900 that may be executed by the network server 114 ofFIG. 1.

As shown, the routine 1900 may begin at a step 1902, wherein it isdetermined whether any requests have been received to register newPocket Vault holders.

When, at the step 1902, it is determined that a request has beenreceived to register a new Pocket Vault holder, the routine 1900proceeds to a step 1904, wherein the request to register the new PocketVault holder is processed. An example of a routine that may be employedto implement the step 1904 is discussed in more detail below inconnection with FIG. 20.

When, at the step 1902, it is determined that no request to register anew Pocket Vault holder has been received, the routine 1900 proceeds toa step 1906, wherein consumer marketing information is compiled andtransmitted to subscribing media issuers and advertisers.

After the step 1906, the routine 1900 proceeds to a step 1908, whereinit is determined whether any requests from media issuers or advertisershave been received to update the network server 114.

According to one aspect of the invention, media issuers and advertisersmay have the option to utilize the functionality of the network server114 to update the account characteristics of authenticated Pocket Vaultholders. These updates may, for example, be delivered from the computers108, 110, and 112 to a secure location within the database 406. Wheneach selected holder next synchronizes with network server 114 (e.g., asdescribed below in connection with routine 1914 of FIG. 22), any mediacharacteristics updated by the media issuers or advertisers may beuploaded to that holder's the Pocket Vault 102. The database of accountupdates may be revised periodically based on the media issuer's systems(e.g., pursuant to the routine 1910 of FIG. 21—described below).Confirmation of the update process may be provided to the issuer after asynchronization session is complete for a particular Pocket Vault holder(see step 2206 of routine 1914 (FIG. 22) below).

When, at the step 1908, it is determined that a request to update thenetwork server 114 has been received from a media issuer or advertiser,the routine 1900 proceeds to a step 1910, wherein the request from themedia issuer or advertiser is processed. An example of a routine thatmay be employed to implement the step 1910 is discussed in more detailbelow in connection with FIG. 21.

When, at the step 1908, it is determined that no request from a mediaissuer or advertiser to update the network server 114 has been received,the routine 1900 proceeds to a step 1912, wherein it is determinedwhether any requests have been received from holders to updateinformation on their Pocket Vaults.

When, at the step 1912, it is determined that such a request has beenreceived, the routine 1900 proceeds to a step 1914, wherein the requestto update the Pocket Vault information is processed. An example of aroutine that may be employed to implement the step 1914 is described inmore detail below in connection with FIG. 22.

When, at the step 1912, it is determined that no request from a holderto update information on a Pocket Vault 102 has been received, theroutine 1900 proceeds to a step 1916, wherein it is determined whetherany holders have requested that new files be loaded onto the networkserver 114.

When, at the step 1916, it is determined that a holder has requestedthat a new file be loaded onto the network server 114, the routine 1900proceeds to a step 1918, wherein the holder's request to load the newfile onto the network server 114 is processed. An example of a routinethat may be employed to implement the step 1918 is described in moredetail below in connection with FIG. 23.

When, at the step 1916, it is determined that no request by a holder toload a file onto the network server 114 has been received, the routine1900 proceeds to a step 1920, wherein it is determined whether anyrequests have been made to authorize transactions. Such a request may bemade, for example, by a merchant operating a commercial interfacestation 104 c. In this regard, it should be appreciated that, when atoken 102 a is employed to engage in a transaction with a commercialcard reader 106 or a commercial bar code reader 107, a request fortransaction approval may not be made to the network server 114. Insteadsuch a transaction approval request may be made through conventional,existing communication and approval channels for such devices.Therefore, it should be understood that the step 1922 is generallyreached only when it is possible for the network server 114 to check theidentity of the Pocket Vault holder, the identity of the Pocket Vault102, and possibly identity of the operator of a commercial interfacestation, based on communications with the Pocket Vault 102 (e.g., via acommercial interface station 104 c or via a wireless network such asBluetooth).

When, at the step 1920, it is determined that a request to authorize atransaction has been made, routine 1900 proceeds to a step 1922, whereinthe request to authorize the transaction is processed. An example of aroutine that may be employed to implement the step 1922 is discussed inmore detail below in connection with FIG. 24.

When, at the step 1920, it is determined no request to authorize atransaction has been made, the routine 1900 returns to the step 1902(discussed above). With regard to the routine 1900 of FIG. 19, it shouldbe appreciated that all of the requests to accomplish the various tasksmay be placed in a queue so that they are serviced on a first-come,first-served or any other basis, rather than servicing them in theparticular order shown in FIG. 19.

FIG. 20 is a flow-diagram illustrating an example of a routine that maybe employed to implement the step 1904 of the routine 1900 (FIG. 1).

As shown, the routine 1904 begins at a step 2002, wherein a requestreceived from the interface station computer 304 to register a newPocket Vault holder is acknowledged, and the network server 114 requeststhe interface station computer 304 to transfer the relevant informationregarding the proposed new holder to the network server 114.

After the step 2002, the routine 1904 proceeds to a step 2004, whereinthe routine 1904 waits for all of the requisite holder registrationinformation to be received from the interface station computer 304.

When, at the step 2004, it is determined that all of the requisiteholder registration information has been received from the interfacestation computer 304, the routine 1904 proceeds to a step 2006, whereinit is determined whether the proposed Pocket Vault use is authorized. Anexample of a routine that may be employed to implement the step 2006 isdiscussed below in connection with FIG. 25. In determining whether aparticular Pocket Vault use is authorized, there are numerous parameterswhich may be checked. For example, the port to which the interfacestation computer is connected (e.g., the telephone number or IP addressof the computer) may be checked to ensure that it is authorized.Additionally, information from the interface station computer 304 (e.g.,a “cookie”) may be checked to ensure that the computer itself has beenregistered with the system. Further, it can be checked whether thecurrent operator of the interface station computer 304 is registered asbeing associated with the interface station computer 304 being used, andthat the proposed new Pocket Vault holder is authorized to use thatparticular the Pocket Vault 102. In sum, the identity of (1) each pieceof equipment, (2) each operator of each piece of equipment, and (3) eachlocation of each piece of equipment may be checked to ensure that theparticular use of the Pocket Vault is authorized. It should beappreciated fewer than all of these parameters, different parameters,and/or additional parameters can be checked in alternative embodimentsof the invention, and that the invention is not limited to embodimentswherein all of the aforementioned parameters are checked to verify thata particular Pocket Vault use is authorized.

When, at the step 2006, it is determined that the Pocket Vault use isnot authorized, the routine 1904 terminates. In such a situation, it isalso possible to generate some sort of security alert message to putsomeone or some entity on notice that an unauthorized use of a PocketVault has occurred.

When, the routine 2006 has determined that the proposed Pocket Vault useis authorized, the routine 1904 proceeds to a step 2008, wherein all ofthe relevant information regarding the new Pocket Vault registration islogged into the database 406 of the network server 114 (FIG. 4). Asshown in FIG. 20, this information may include, for example, theinterface station operator ID, the interface unit ID, the Pocket VaultID, and all of the relevant information relating to the new Pocket Vaultholder.

After the step 2008, the routine 1904 proceeds to a step 2010, whereinthe network server 114 transmits encrypted validation information to theinterface station computer 304, which then may be passed on to thepocket vault interface unit 302, and then to the Pocket Vault 102, so asto enable the new holder's fingerprint to be stored in the memory of thePocket Vault 102.

After the step 2010, the routine 1904 terminates.

FIG. 21 is a flow diagram illustrating example of a routine that may beemployed to implement the step 1910 of the primary routine 1900 (FIG.19).

As shown, the routine 1910 begins at a step 2102, wherein it isdetermined whether all of the requested updates have been received fromthe media issuer or advertiser.

When, at the step 2102, it has been determined that all of the requestedupdates have been received, the routine 1910 proceeds to a step 2104,wherein it is determined whether the media issuer or advertiser isauthorized access to the network server 114. This authorization processmay require some sort of authentication of the identity of the computerused by the media issuer or advertiser requesting the update, theoperator of the computer, and/or the location of the computer, in amanner similar to that in which the interface stations 104 and theiroperators are authorized.

When, at the step 2104, it is determined that the media issuer oradvertiser is not authorized access to the network server 114, theroutine 1900 proceeds to a step 2106, wherein a message is transmittedto the media issuer or advertiser informing the media issuer oradvertiser that access to the network server 114 has been denied.

After the step 2106, the routine 1910 terminates.

When, at the step 2104, it is determined that the media issuer oradvertiser is authorized access to the network server 114, the routine1910 proceeds to a step 2108, wherein the updates received from themedia issuer or advertiser are logged onto the network server 114.

After the step 2108, the routine 1910 terminates.

FIG. 22 is a flow diagram illustrating an example a routine that may beemployed to implement the step 1914 of the primary routine 1900 (FIG.19).

As shown, the routine 1914 begins at the step 2006 (discussed below inconnection with FIG. 25), wherein it is determined whether the attemptedPocket Vault use is authorized.

When, at the step 2006, it is determined that the Pocket Vault use isnot authorized, the routine 1914 terminates.

When, at the step 2006, it is determined that the Pocket Vault use isauthorized, the routine 1914 proceeds to a step 2202, wherein encryptedupdates are transmitted to the interface station computer 304 forloading onto the Pocket Vault 102.

After the step 2202, the routine 1914 proceeds to steps 2204 and 2206,wherein the time and date of the updates are logged (step 2204), and themedia issuers or advertisers are informed that the updates have beenmade (step 2206).

FIG. 23 is a flow diagram illustrating an example of a routine that maybe employed to implement the step 1918 of the primary routine 1900 (FIG.9).

As shown, the routine 1918 begins at a step 2302, wherein it isdetermined whether the file to be loaded onto the network server 114relates to a secure media issuer.

When, at the step 2302, it is determined that the file does not relateto a secure media issuer, the routine 1918 proceeds to a step 2304,wherein the network server 114 is updated with the non-secure file.

After the step 2304, the routine 1918 terminates.

When, at the step 2302, it is determined that the to-be-loaded file doesrelate to a secure media issuer, the routine 1918 proceeds to a step2306, wherein it is determined whether the secure media issuer is aPocket Vault participant (i.e., a media issuer having access to thenetwork server 114).

When, at the step 2306, it is determined that the secure media issuer isnot a Pocket Vault participant, the routine 1918 proceeds to a step2308, wherein an advisory is sent to the holder indicating an inabilityto load the file, and inquiring as to whether the holder desires to loadthe file in a non-secure format. The holder may, for example, opt toload the file to the network server 114 in such a way that the contentof the file is not encodable to the Chameleon Card, but can be displayedand shown to a POS operator and manually keyed in at POS by the POSoperator.

After the step 2308, the routine 1918 proceeds to a step 2316, whereinit is determine whether the holder has elected to load the file in anon-secure format.

When, at the step 2316, it is determined that the holder has elected notto load the file in a non-secure format, the routine 1918 terminates.

When, at the step 2316, it is determined that the holder has elected toload the file in a non-secure format, the routine 1918 proceeds to astep 2318, wherein the file is loaded onto the network server 114 in anon-secure format.

After the step 2318, the routine 1918 terminates.

When, at the step 2306, it is determined that the secure media issuer isa Pocket Vault participant, the routine 1918 proceeds to a step 2310,wherein the media issuer is queried as to the account status of theholder.

After the step 2310, the routine 1918 proceeds to a step 2312, whereinit is determined whether authorization has been received from the mediaissuer to load the file.

When, at the step 2312, it is determined that authorization has not beenreceived from the media issuer, the routine 1918 proceeds to the step2308 (discussed above).

When, at the step 2312, it is determined that authorization has beenreceived from the media issuer, the routine 1918 proceeds to a step2314, wherein the network server 114 is updated with the secure file.

After the step 2314, the routine 1918 terminates.

FIG. 24 is a flow diagram illustrating an example of a routine that maybe employed to implement the step 1922 of the primary routine 1900 (FIG.19).

As shown, the routine 1922 begins at the step 2006 (discussed below inconnection with FIG. 25), wherein it is determined whether the attempteduse of the Pocket Vault 102 is authorized.

When, at the step 2006, it is determined that the attempted Pocket Vaultuse is not authorized, the routine 1922 terminates.

When, at the step 2006, it is determined that the attempted Pocket Vaultused is authorized, the routine 1922 proceeds to a step 2402, wherein itis determined whether the requested transaction is within acceptableaccount parameters (e.g., as set by the media issuer).

When, at the step 2402, it is determined that the requested transactionis not within acceptable account parameters, the routine 1922 proceedsto a step 2404, wherein a message is transmitted to the entity thatrequested the transaction (e.g., a commercial interface station 104C, acard reader 106, or a barcode reader 107) indicating that thetransaction is outside of acceptable account parameters.

After the step 2404, the routine 1922 terminates.

When, at the step 2402, it is determined that the requested transactionis within acceptable account parameters, information regarding thetransaction is logged into the database 406 of the network server 114(FIG. 4). As shown, the logged information may include theidentification of the entity with which the transaction took place, thePocket Vault ID (if available), and the time and date of thetransaction.

After the step 2406, the routine 1922 proceeds to a step 2408, whereinan encrypted approval message is transmitted to the entity with whichthe transaction is being attempted (e.g., a commercial interface station104C, a card reader 106, or a barcode reader 107).

After the step 2408, the routine 1922 terminates.

FIG. 25 is a flow diagram illustrating an example of a routine that mayemployed to implement the step 2006 of the routines 1904 (FIG. 20), 1914(FIG. 22), and 1922 (FIG. 24).

As shown, the routine 2006 begins at a step 2502, wherein it isdetermined whether the point of sale terminal or other entity with whicha transaction is being attempted is connected to a valid source (e.g.,an authorized telephone line or an authorized internet protocol (IP)address).

When, at the step 2502, it is determined that the entity proposing thetransaction is not connected to a valid source, the routine 2006proceeds to a step 2510, wherein the transaction is refused, and asecurity alert is generated so that appropriate action(s) may be taken.

When, at the step 2502, it is determined that the entity proposing thetransaction is connected to a valid source, the routine 2006 proceeds toa step 2504, wherein it is determined whether the ID of the interfacestation, card reader, barcode reader or RFID interrogator is valid, andis properly linked to the source to which is connected.

When, at the step 2504, it is determined that the ID of the entityproposing the transaction is not valid, the routine proceeds to the step2510 (discussed above).

When, at the step 2504, it is determined that the ID of the entityproposing the transaction is valid, the routine 2006 proceeds to a step2506, wherein it is determined whether the Pocket Vault ID (ifavailable) is valid. It should be appreciated that, when a card reader106, a barcode reader 107, an RF signal receiver, or an RFIDinterrogator is employed, it is possible that the ID from the PocketVault will not be transmitted to the network server 114. Therefore, thestep 2506 may be skipped in such a situation.

When, at the step 2506, it is determined that the Pocket Vault ID (whenavailable and required) is not valid, the routine 2006 proceeds to thestep 2510 (discussed above).

When, at the step 2506, it is determined that the Pocket Vault ID (when)is valid or is not required, the routine 2006 proceeds to a step 2508,wherein it is determined whether the Pocket Vault ID (if available) islinked to the ID of the entity proposing the transaction, e.g., acommercial interface station 104 c, a card reader 106, a barcode reader107, or an RFID interrogator 107.

When, at the step 2508, it is determined that the ID of the Pocket Vault102 (when available) is not linked to the ID of the entity proposing thetransaction, the routine 2006 proceeds to the step 2510 (discussedabove).

When, at the step 2508, it is determined that the Pocket Vault ID islinked to the ID of the entity proposing the transaction, or that the IDof the Pocket Vault is not required, the routine 2006 proceeds to a step2512, wherein the Pocket Vault use is authorized.

With regard to the information checked in connection with the routine2006 to determine whether a particular Pocket Vault use is authorized,it should be appreciated that, in some embodiments, fewer than all ofthe verification steps discussed above may be performed when lesserdegrees of security are desired or required. For example, in someembodiments, there may be no restrictions as to who can operate aninterface station, the source to which the station is connected, and/orthe ID of the station.

FIG. 27 illustrates a network system similar to that describedhereinabove. The system of FIG. 27, however, includes several additionalcomponents which serve to increase the network's functionality andutility. Accordingly, it should be appreciated that, in addition to thecomponents illustrated in FIG. 27, the system may also include all orsome of the components and features of the system described above inconnection with FIGS. 1-26, and may also incorporate all or some of thatsystem's functionality.

As shown in FIG. 27, the Pocket Vault 102 may be coupled to an interfacestation 104 (including an interface unit 302 coupled to an the interfacestation computer 304). The interface unit 302 may include acommunication port 2706, which is adapted to perform basiccommunications functions for interaction between the interface unit 302and each of the Pocket Vault 102 and the interface station computer 304.This communication can take place over physical wires using a USBprotocol or HotWire, or any other suitable protocol. Alternatively, thecommunication can be wireless, using a standard wireless protocol, suchas Bluetooth, or any other suitable protocol. The communication port2706 may, of course, be adapted to perform communications functionsdepending on the requirements on the particular protocol used. In anexample embodiment, a USB protocol is used, and the interface unit 302is connected to the interface station computer 304 through a USB port.Several suitable methods/techniques for interfacing the Pocket Vault 102with the interface unit 302 are described above.

In addition to the communication port 2706, as in the embodimentdescribed above, the interface unit 302 contains a stripe reader 315.The purpose and operation of the stripe reader 315 is described below inconnection with FIG. 34.

The interface station computer 304 may be any suitable computer thatemploys one or more processors to execute instructions stored in memory.The interface station computer 304 may even comprise severalinter-networked computers.

In the illustrative embodiment shown, the interface station computer 304may use the communication software 2710 to communicate with the networkserver 114 via the network 2724. The communication software 2710 may beany of a number of communication programs known in the art, and theinvention is not limited to any particular type of software. Thesoftware 2710 may, for example, comprise a web browser, a terminalemulation program, a proprietary program, or any other software modulecapable of communicating with other computers using the network 2724.The network 2724 may be any communication network known in the art. Forexample, the network 2724 may comprise the World Wide Web, a Local AreaNetwork, or any other networking arrangement adapted for communicationbetween digital computers.

In the embodiment shown, the communication software 2710 uses internetsettings 2722 when accessing the network 2724. The internet settings2710 may include any user preferences or software settings relevant tocommunication functions and usability of the communication software2710. The internet settings 2722 may comprise, for example, the networkname and the identification of the interface station computer 304, anidentification of communications protocols used to connect to thenetwork 2724, network preferences, such as whether any proxy servers mayor should be used, a list of frequently-used servers, cookies previouslyobtained from various websites, digital certificates, personalbookmarks, user identity data, user password data for various servers,etc.

The communication software 2710 may access the network 2724 throughcommunication protocol layer 2714. Depending on how the interfacestation computer 304 is physically connected to the network 2724. Thecommunication protocol layer 2714 may be dial-up software, a TCP/IPlayer, or any other suitable networking layer. The communicationprotocol layer 2714 may, for example, execute low-level communicationfunctions, thereby providing useful abstractions to the communicationsoftware 2710. In an example embodiment, the interface station computer304 is connected to the network 2724 using a modem, and thecommunication protocol layer 2714 is a dialup software module.

As shown, the interface station computer 304 may also contain one ormore communication drivers 2712. Although multiple drivers may, in fact,be employed, for simplicity of discussion, the description hereinaftermay refer to all such drivers as a single “driver.” The communicationdriver 2712 acts both as a device driver for the interface unit 302, andalso as a communications driver capable of accessing internet settings2722 and facilitating communications between the Pocket Vault 102 andthe server 114 by using the communication protocol layer 2714 toestablish a connection to the network server 114 through the network2724.

The network server 114 may comprise any suitable processor-based deviceor its equivalent. It may be either a single or multi-processor machine,or even a collection of servers inter-networked together. In oneembodiment, the network server 114 stores both data and applicationsthat are accessible to users. The network server 114 may, for example,store and serve a website, i.e., a collection of web pages and data thatare available to users via a browser.

The network server 114 may include one or more controllers 402 and adatabase 406, as described above in connection with FIG. 4. In addition,the network server 114 may include a communication protocol layer 2716,which provides low-level communication functions to servercommunications software. The communication protocol layer 2716 may be,but need not be, the same as the communication protocol layer 2714 ofthe interface station computer 304.

As shown in FIG. 27, the network server 114 may communicate through thenetwork 2724 with an issuer authority 2718. The issuer authority 2718may correspond, for example, to any of the advertiser(s) 108,non-financial media issuer(s) 110, or financial media issuer(s) 112described above in connection with FIG. 1, or may be any entitydesignated to represent any of the same.

Overall, the networking arrangement illustrated in FIG. 27 allows thePocket Vault 102 to access the network server 114. It also allows theinterface station computer 304 to access restricted portions of thenetwork server 114, such as, for example, user data stored in thedatabase 406, when access is authenticated through communication fromthe Pocket Vault 102 to the network server 114. Authentication andaccess to restricted areas of the network server 114 will be furtherdescribed below.

In order for the Pocket Vault 102 to perform communications functions,as well as other functions described elsewhere herein, the Pocket Vault102 may be driven by control software 2708. FIG. 28 is a block diagramillustrating example components of the control software 2708 that may bedisposed on the Pocket Vault 102.

As shown, the control software 2708 may include components such as acommunications software module 2802, a card loading module 2804, an RFIDtag loading module 2805, an internet settings management module 2806, asynchronization module 2808, a statistics module 2810, and a securitymodule 2812. It should be appreciated, of course, that the controlsoftware 2708 is not limited to the illustrative modules shown, and thatthe control software 2708 may comprise fewer modules or additionalmodules to perform other functions, such as the functionality describedabove in connection with FIGS. 7-12.

The communications software module 2802 may, for example, be responsiblefor communications with the network server 114 and with the interfacestation computer 304, in the manner discussed below.

The card loading module 2804 may, for example, be responsible forloading data for new cards or tokens and storing such data in memory, aswell as for transferring this data to the network server 114, whenappropriate. Examples of how card/token data may be loaded onto thePocket Vault 102 are discussed below in connection with FIG. 34.

The RFID tag loading module 2805 may, for example, be responsible forloading data for new RFID tags and storing such data in memory, as wellas for transferring this data to the network server 114, whenappropriate. Examples of how RFID tag data may be loaded onto the PocketVault 102 are discussed below in connection with FIG. 40.

Internet settings management module 2806 may, for example, beresponsible for managing the storage and use of internet settings by thePocket Vault 102. Such internet settings may, for example, correspond toany of the internet settings 2722 that may be stored on the interfacestation computer 304. The internet settings management module 2806 mayallow a user to store, manage, and transfer internet settings, e.g.,cookies and preference settings, from one computer to another. Operationof the internet settings management module 2708 will be furtherdescribed below in connection with the steps 3310 and 3320 of theroutine 3024 (FIG. 33).

The synchronization module 2808 may, for example, be responsible forsynchronizing data and settings stored on the Pocket Vault 102 with dataand settings stored on the network server 114. Operation of thesynchronization module 2808 is described below in connection with FIG.35.

The statistics module 2810 may, for example, collect statisticsconcerning use of the Pocket Vault 102. Such statistics may, forexample, include information such as the number of accesses to variouscards stored in the memory of the Pocket Vault 102, the number offinancial transactions engaged in, the date of the last update of thePocket Vault 102, the total amount and kind of data transferred betweenthe Pocket Vault 102 and each interface station 104 and/or the networkserver 114. In addition, the statistics module 2810 may be adapted to becustomized by the user.

The security module 2812 may, for example, ensure security ofauthentication and communications. All communications to and from thenetwork server 114 and the interface station 104 may be encrypted by thesecurity module 2812, so that any attacker who intercepts thosecommunications will receive no useful information.

Any of numerous types of encryption may be used to satisfactorilyprotect communications between the Pocket Vault 102 and the otherdevices in the network. For example, one of the asymmetric-keyencryption types, such as public key encryption or private keyencryption, may be used. These public/private encryption techniques arewell known in the art and therefore will not be described here indetail. Alternatively, one-time pad encryption or other encryptiontechniques may be used to achieve a similar objective.

As discussed above, the Pocket Vault 102 may be adapted to not releaseany personal or secure information, even encrypted, until the holderpresents satisfactory verification of his or her identity, such as, forexample, presenting the holder's fingerprint to the fingerprint scanner220 or entering a password. In addition, fingerprint and passwordprotection may be used together for authentication purposes, such thatpersonal or secure information can be transferred or released only ifthe holder has been successfully authenticated using both techniques.

In alternative embodiments, security may be implemented using differentmeasures, or may be omitted altogether in situations where the interfacestation computer 304 is a trusted host. In addition, security module2812 may be called on to perform security functions in situations otherthan communicating with the network server 114

and the interface station computer 304.

The manner of communication among the Pocket Vault 102, the networkserver 114, and an interface station computer 304 will now be describedin connection with FIG. 29. FIG. 29 is a data flow diagram illustratinghow data may be transferred between the Pocket Vault 102 and a userinterface 2902 of the interface station computer 304. The user interface2902 may, for example, comprise a web browser included in thecommunications software 2710 running on the interface station computer304. Alternatively, it may be a stand-alone application that allows auser to interact with the communications software 2710 and, through it,interact with a website located on the network server 114.

In the illustrative embodiment shown, the data transfer takes place viathe communication driver 2712, the network server 114, and thecommunications software 2710, data can flow in both directions at allconnection points, and all communications between the Pocket Vault 102and the user interface 2902 of the interface station computer 304 passthrough the network server 114.

Using the arrangement shown, the user may, for example, update settingson the Pocket Vault 102 by using the user interface 2902 and thecommunication software 2710 to update settings on the network server114, and then instructing the network server 114 to update settings onthe Pocket Vault 102 via the communication driver 2712.

In one embodiment, the network server 114 implements a website, whereuser information may be selectively stored and accessed by a personusing the communication software 2710 (e.g., a web browser) running onthe interface station computer 304, and any user may access the websiteon the network server 114. However, the website may have a so-called“restricted area” which can be accessed only after the user hasauthenticated his or her identity. As used herein, the term “restrictedarea” or “restricted information” means any data that is not availableto general public without some sort of authentication. For example, eachuser may have preferences stored in the database 406 that would indicatehow the main site should be presented to that user. Those preferenceswill not be available to other users. In addition to such relativelylow-security settings, such as website preferences, database 406 mayalso contain private user information, such as information about auser's credit cards and identity information. Access to this restrictedinformation may be limited, for example, to only “authenticated” users.

Authentication of a Pocket Vault holder may be achieved, for example, bythe holder applying a fingerprint to the fingerprint scanner 220 of thePocket Vault 102, interfacing the Pocket Vault 102 with the interfaceunit 302 (which acts essentially as a pass-through device), andestablishing a connection between the Pocket Vault 102 and the networkserver 114 via the communication driver 2712. Based on communicationswith the Pocket Vault 102 via this “connection,” the website maydetermine: (1) whether the Pocket Vault 102 has been “validated,” i.e.,whether a fingerprint has been stored in the fingerprint memory of thePocket Vault 102 and whether validation information (e.g., a PKIcertificate) is present on the Pocket Vault 102, and (2) whether thePocket Vault 102 has been authenticated, i.e., whether the fingerprintrecently scanned by the Pocket Vault 102 matched the fingerprint storedin the fingerprint memory of the Pocket Vault 102. If the websitedetermines that the Pocket Vault 102 has not yet been validated, theuser may be given an option to validate the Pocket Vault 102 using thewebsite software. If the website determines that the Pocket Vault 102has been validated and authenticated, then the network server 114 mayenable the authenticated holder to access or perform functions relatingto some or all of the restricted area of the database 406 containingthat holder's information.

Communication driver 2712 may be a light-weight application that canaccess and modify the internet settings 2722, and can also accesscommunications protocol layer 2714, but cannot transfer information toany other software programs. For example, the communication driver 2712may access the internet settings 2722 in order to determine that theinterface station computer 304 is connected to the network 2724 througha dial-up connection; following that, it may initiate the dial-upconnection or use an established connection through the communicationsprotocol layer 2714 in order to tunnel packets from the Pocket Vault 102to the network 2724.

FIG. 30 is a flow diagram illustrating an example implementation of thePROCESS REQUEST TO ACCESS WEBSITE routine 1422 shown in FIG. 14, whichmay be executed by the controller 308 of the interface station computer304. As discussed above in connection with FIG. 14, it should beappreciated that this routine need not be accessed as a result of a userselecting it from the menu displayed in the step 1402. Rather, a usermay simply use a browser to directly log onto the website on the networkserver 114.

As shown, the routine 1422 begins at a step 3002, wherein the interfacestation computer 304 is caused to access the website on the networkserver 114, e.g., by using a browser to access the website.

After the step 3002, the routine 1422 proceeds to a step 3004, whereinit is determined whether the requisite communication drivers 2712 havebeen installed.

When, at the step 3004, it is determined that the requisitecommunication drivers 2712 have not been installed, the routine 1422proceeds to an INSTALL DRIVER(S) routine 3006 (discussed below inconnection with FIG. 31), which is responsible for installing thecommunication drivers 2712.

After the routine 3006 has completed, the routine 1422 proceeds to astep 3008, wherein the communication drivers 2712 are caused to becomeoperational.

When, at the step 3004, it is determined that the requisite drivers 2712have already been installed, the routine 1422 proceeds directly to thestep 3008 (discussed above).

After the step 3008, the routine 1422 proceeds to steps 3010-3016,wherein attempts are made to establish a connection between the PocketVault 102 and the website on the network server 114 within a time outperiod determined by the step 3014. Each time it is determined that theconnection has not yet been established, the user is prompted tointerface the Pocket Vault 102 with the interface unit 302 and toconnect the interface unit 302 to the interface station computer 304(e.g., using a USB cable).

When, during the steps 3010-3016, it is determined that a connection hasnot been established between the Pocket Vault 102 and the website in atimely manner, the routine 1422 proceeds to a step 3026, wherein amessage is displayed to the user regarding the unsuccessfulcommunication attempt between the Pocket Vault 102 and the website onthe network server 114.

After the step 3026, the routine 1422 terminates.

When, during the steps 3010-3016, it is determined that a connection hasbeen successfully established between the Pocket Vault 102 and thewebsite on the network server 114, the routine 1422 proceeds to a step3018, wherein it is determined whether the Pocket Vault 102 has beenvalidated, e.g., whether a holder's fingerprints and a PKI certificateare stored therein. The website may, for example, make thisdetermination based upon the messages exchanged during the handshakingprotocol engaged in between the Pocket Vault 102 and the network server114.

When, at the step 3018, it is determined that the Pocket Vault 102 hasnot yet been validated, the routine 1422 proceeds to a NEW POCKET VAULTHOLDER routine 3020, which is discussed below in connection with FIG.32.

When, at the step 3018, it is determined that the Pocket Vault 102 hasalready been validated, the routine 1422 proceeds to an EXISTING POCKETVAULT HOLDER routine 3024, which is discussed below in connection withFIG. 33.

After completion of the EXISTING POCKET VAULT HOLDER routine 3024, theroutine 1422 terminates.

After completion of the NEW POCKET VAULT HOLDER routine 3020, theroutine 1422 proceeds to a step 3022, wherein it is determined whether anew holder was successfully validated.

When, at the step 3022, it is determined that a new holder wassuccessfully validated, the routine 1422 proceeds to the EXISTING POCKETVAULT HOLDER routine 3024 (discussed above).

When, at the step 3022, it is determined that a new holder was notsuccessfully validated, the routine 1422 terminates.

FIG. 31 is a flow diagram illustrating an example implementation of theINSTALL DRIVER(S) routine 3006 shown in FIG. 30.

As shown, the routine 3006 begins at a step 3102, wherein the necessarycommunication drivers 2712 are downloaded from another computer, e.g., awebsite on the World Wide Web.

After the step 3102, the routine 3006 proceeds to steps 3104-3108,wherein the necessary communication drivers 2712 are installed on theinterface station computer 304 and registered with network server 114,and the preferences for the communication drivers 2712 are set eitherautomatically or in response to user input. During the step 3106, thecommunication driver 2712 may communicate with the network server 114 inorder to register itself and its attributes. Among these attributes canbe such things as a unique identifier for the interface station computer304 on which that driver is installed, the identity of the userregistering it, and other such items. The preferences that may be set bythe user during the step 3108 may, for example, include information suchas how and where to access the internet settings 2722, how many attemptsat connection should be performed, etc.

After the step 3108, the routine 3006 terminates.

FIG. 32 is a flow diagram illustrating an example implementation of theNEW POCKET VAULT HOLDER routine 3020 shown in FIG. 30.

As shown, the routine 3020 begins at a step 3202, wherein it isdetermined whether the new holder has indicated that he or she hasalready established an account with the website on the network server114.

When, at the step 3202, it is determined that the new holder has notindicated the existence of a previously-established account, the routine3020 proceeds to a step 3204, wherein a new account is established onthe website on the network server 114 in response to user input to abrowser running on the interface station computer 304.

After the step 3204, the routine 3020 proceeds to a step 3206, whereinthe new holder is prompted to apply his or her fingerprint to thefingerprint scanner 220 while the Pocket Vault 102 is interfaced withthe interface unit 302. The user is further prompted to follow thedirections on the Pocket Vault 102. As discussed above in connectionwith FIGS. 7 and 8, when a fingerprint is applied to a fingerprintscanner 220 of an un-validated device, the user is instructed by thePocket Vault to apply six finger prints (three from one finger on theleft hand and three from one finger on the right hand) sequentially tothe fingerprint scanner 220, waiting for a beep each time. As discussedin connection with FIG. 8, after the new holder has completed this task,an encrypted message including the Pocket Vault ID may be released fromthe Pocket Vault to the interface unit 302. Because of the establishedconnection between the Pocket Vault 102 and the website on the networkserver 114, this encrypted message should reach the website. And, inresponse to receiving this encrypted message, the website should releaseencrypted validation information (e.g., a PKI certificate) back to thePocket Vault 102 via the established connection.

After the step 3206, the routine 3020 proceeds to steps 3208-3210,wherein it is determined whether the Pocket Vault 102 has released theencrypted message including the Pocket Vault ID to the website before atimeout period has elapsed.

When, at the step 3210, it is determined that the timeout period elapsedbefore the encrypted message including the Pocket Vault ID was releasedto the website, the routine 3020 proceeds to a step 3220, wherein amessage is displayed to the user concerning the unsuccessful attempt tovalidate the Pocket Vault holder.

After the step 3220, the routine 3020 terminates.

When, at the steps 3208-3210, it is determined the Pocket Vault 102 hasreleased the encrypted message including the Pocket Vault ID to thewebsite before the timeout period elapsed, the routine 3020 proceeds toa step 3212, wherein it is determined whether the website has releasedthe encrypted validation information (e.g., a PKI Certificate) to thePocket Vault 102.

When, at the step 3210, it is determined that the timeout period elapsedbefore the website released the encrypted validation information (e.g.,a PKI Certificate) to the Pocket Vault 102, the routine 3020 proceeds tothe step 3220 (discussed above).

When, at the step 3210, it is determined that the website released theencrypted validation information (e.g., a PKI Certificate) to the PocketVault 102 before the timeout period elapsed, the routine 3020 proceedsto a step 3216, wherein a message is displayed to the user concerningthe successful validation of the new Pocket Vault holder.

After the step 3216, the routine 3020 terminates.

When, at the step 3202, it is determined that the new holder hasindicated the existence of a previously-established account, the routine3020 proceeds to a step 3218, wherein a check is made to verify theholder's identity. The holder may, for example, be required to enterpersonal information, such as name, contact information, and securityinformation to verify his or her identity.

When, at the step 3218, it is determined that the holder hassuccessfully verified his or her identity, the routine 3020 proceeds tothe step 3206 (discussed above), with the holder's previously-storedaccount information being used for the new Pocket Vault 102.

When, at the step 3218, it is determined that the holder has notsuccessfully verified his or her identity, the routine 3020 proceeds tothe step 3220 (discussed above).

FIG. 33 is a flow diagram illustrating an example implementation of theEXISTING POCKET VAULT HOLDER routine 3024 shown in FIG. 30.

As shown, the routine 3024 begins at a step 3302, wherein it isdetermined whether the Pocket Vault 102 has been authenticated, e.g.,whether the Pocket Vault 102 has determined that a fingerprint appliedto the fingerprint scanner 220 matches one of the fingerprints stored inthe fingerprint memory of the Pocket Vault 102. This authenticationprocedure may operate as described above in connection with the step 712(FIG. 7), or an additional or different routine may be employed (e.g.,as part of the security module 2812 described above in connection withFIG. 28) to determine whether the holder has successfully authenticatedhis or her identity, thereby enabling the network server 114 toestablish a “trust” relationship with the Pocket Vault 102.

When, at the step 3302, it is determined that the Pocket Vault 102 hasnot been properly authenticated, the routine 3024 proceeds to a step3304, wherein the holder is prompted to apply his or her fingerprint tothe fingerprint scanner 220 of the Pocket Vault 102 while the PocketVault 102 is interfaced with the interface unit 302, i.e., while keepingthe connection established between the Pocket Vault 102 and the websiteon the network server 114.

As shown, the step 3306 determines whether the Pocket Vault 102 has beenproperly authenticated prior to the expiration of a timeout period.

When, at the step 3306, it is determined that the timeout period elapsedbefore the Pocket Vault 102 was authenticated, the routine 3024 proceedsto a step 3308, wherein a message is displayed indicating that theauthentication attempt was unsuccessful.

After the step 3308, the routine 3024 terminates.

When, at the step 3302, it is determined that the Pocket Vault 102 hasbeen properly authenticated, the routine 3024 proceeds to a step 3310,wherein the communication driver 2712 causes the internet settings 2722of the interface station computer 304 to be adjusted to reflect certaininternet settings stored in the Pocket Vault 102, e.g., by the internetsettings management module 2806. In this manner, the internet settingsof the Pocket Vault 102 may be “ported” to the interface stationcomputer 304 so that the browser operating on the interface stationcomputer 304 may take advantage of those settings while the Pocket Vault102 is connected to the website on the network server 114 via thecommunication driver 2712. The internet settings of the Pocket Vault 102that may be ported to the interface station computer 304 in this mannermay comprise, for example, the network name and identification of thePocket Vault 102, an identification of communications protocols used toconnect to the network 2724, network preferences, such as whether anyproxy servers may or should be used, a list of frequently-used servers,cookies previously obtained from various websites, digital certificates,personal bookmarks, user identity data, user password data for variousservers, etc.

The internet settings on the Pocket Vault 102, and porting of the sameto the interface station computer 304, may be managed, for example, byone or more modules of the control software, e.g., the internet settingsmanagement module 2806. In one embodiment, the user may elect whichinternet settings are to be ported to the interface station computer 304during the step 3310. This functionality may be accomplished, forexample, during a SET PREFERENCES routine 3324 (described below inconnection with FIG. 39).

After the step 3310, the routine 3024 proceeds to a step 3312, whereinit is determined whether one of several “functions” has been selected.In the illustrative embodiment shown, the seven available functions are:(1) CARD LOADING (see CARD LOADING routine 3314—discussed below inconnection with FIG. 34), (2) RFID TAG LOADING routine 3315—discussedbelow in connection with FIG. 40, (3) SYNCHRONIZATION (seeSYNCHRONIZATION routine 3316—discussed below in connection with FIG.35), (4) RECOVERY (see RECOVERY routine 3318—discussed below inconnection with FIG. 36), (5) IDENTITY PORTING OPTIONS (see IDENTITYPORTING OPTIONS routine 3320—discussed below in connection with FIG.337), (6) BACKUP (see BACKUP routine 3322—discussed below in connectionwith FIG. 38), (7) SET PREFERENCES (see SET PREFERENCES routine3324—discussed below in connection with FIG. 39), AND (8) TERMINATESESSION (see step 3326). It should be appreciated that the invention isnot limited to the specific functions shown, and that additional,different or fewer functions may be employed.

It should further be appreciated that some or all of the illustratedfunctions, or operations relating to such functions, may be initiatedautomatically or may require user initiation, depending on the settingof preferences. For example, the SYNCHRONIZATION routine 3316 may beinitiated automatically after completion of the step 3310, ifpreferences so indicate. Alternatively, certain steps required toaccomplish synchronization of the Pocket Vault 102 and the website onthe network server 114 may be taken, without actually completing thesynchronization. For example, the synchronization module 2808 of thecontrol software 2708 may automatically initiate a comparison of thecontents of the Pocket Vault 102 and the website to determine what datashould be transferred if synchronization is initiated. Software on thenetwork server 114 may also or alternatively perform a similarcomparison function automatically, if so desired.

Moreover, it should be understood that, in some embodiments, some of theabove-noted functions may be performed without first requiring a PocketVault 102 to be authenticated. For example, some functions may involvethe transfer of public or non-sensitive data, and may not requireprotection via the authentication verification step 3302.

As shown in FIG. 33, when any of the above-listed seven functions isselected, either automatically or in response to user input, theselected function is performed. For each of functions 3314, 3316, 3318,3320, 3322, and 3324, after performing the routine associated with thefunction, the routine 3024 proceeds to a step 3332, wherein it isdetermined whether the connection between the Pocket Vault 102 and thewebsite on the network server 114 is still established.

When, at the step 3332, it is determined that the connection between thePocket Vault 102 and the website on the network server 114 is stillestablished, the routine 3024 returns to the step 3312 (discussedabove).

When, at the step 3332, it is determined that the connection between thePocket Vault 102 and the website on the network server 114 is no longerestablished, the routine 3024 proceeds to a step 3327, wherein some orall of the internet settings 2722 are ported from the interface stationcomputer 304 to the Pocket Vault 102. The communication driver 3712 maycause the settings to be ported directly to the Pocket Vault 102 fromthe interface station computer 304 (via the interface unit 302), or thesettings may be transferred first to the network server 114 and then tothe Pocket Vault 102 (via the connection between the network server 114and the Pocket Vault 102). In some embodiments, only certain types orclasses of settings, e.g., certain type of cookies, PKI certificates,etc., are ported from the interface station computer 304 to the PocketVault 102 in this manner. The classes or types of settings that areported during the step 3327 may, for example, be determined by the userin some embodiments. For example, the user may set certain preferences,e.g., during the SET PREFERENCES routine 3324 or by manipulating thePocket Vault 102 directly, that control the nature and type of internetsettings that are ported to the Pocket Vault 102 from the interfacestation computer 304 during the step 3327.

After the step 3327, the routine 3024 proceeds to a step 3328, whereinthe communication driver 2712 causes the internet settings 2722 on theinterface station computer 304 to return to their original state, i.e.,the configuration the internet settings 2712 were in before they werealtered in the step 3310.

After the step 3328, the routine 3024 proceeds to a step 3330, whereinany cached web pages or other information temporarily stored in theinterface station computer 304 during the communication session betweenthe Pocket Vault 102 and the website on the network server 114 aredeleted from cache and other memory in the interface station computer304. Thus, after completion of the step 3330, the interface stationcomputer 304 is in essentially the same state it was in prior to thebeginning of the routine 1422. The communication driver 2712 may remainon the interface station computer 304 or may be deleted in connectionwith the step 3330. If the communication driver 2712 is kept on theinterface station computer 304, any cache or other memory associatedwith it that might store personal or sensitive information may also beerased. In some embodiments, the communication driver 2712 caches orstores very little, if any, information that is passed between thePocket Vault 102 and the website on the network server 114. In anyevent, the communication driver 2712 may be constructed such that nouseful data, i.e., data that reflects any personal or sensitiveinformation, remains on it after completion of the step 3330.

When, at the step 3312, the holder chooses the TERMINATE SESSIONfunction, the connection between the Pocket Vault 102 and the website onthe network server 114 is de-established, and the routine 3024 proceedsimmediately to the steps 3327, 3328 and 3330 (discussed above).

After the step 3330, the routine 3024 terminates.

FIG. 34 is a flow diagram illustrating an example implementation of theCARD LOADING routine 3314 shown in FIG. 33.

As shown, the routine 3314 begins at a step 3402, wherein adetermination is made as to whether the card desired to be loaded is“swipeable.” The user may, for example, be prompted to indicate whetherthe card has an operational magnetic stripe disposed thereon.

When, at the step 3402, the user indicates that the card does not havean operational magnetic stripe, the routine 3314 proceeds to a step3406, wherein the user is prompted (e.g., via the browser on theinterface station computer 304) to input information to be used increating a card account.

When, at the step 3402, the user indicates that the card does have anoperational magnetic stripe, the routine 3314 proceeds to the step 3410,wherein the user is prompted to swipe the card through the stripe reader315 of the interface unit 302.

After the step 3406, the routine 3314 proceeds to steps 3408 and 3409,wherein it is determined whether the interface station computer 304 hasreceived the information from a card swiped through the stripe reader315 of the interface unit 302 prior to the expiration of a timeoutperiod.

When, at the step 3409, it is determined that the timeout period elapsedbefore information from a swiped card was received, the routine 3314proceeds to a step 3411, wherein a message is displayed to the userconcerning the failure to properly read the magnetic stripe.

After the step 3411, the routine 3314 returns to the step 3402(discussed above). Thus, when a user is unsuccessful in swiping a cardone or more times, the user may determine that the magnetic stripe isnon-operational, and may indicate at the step 3402 that the card is notswipeable. The user may thereafter create an account for the cardmanually at the step 3410 (discussed above).

After the step 3410, the routine proceeds to a step 3412, wherein thewebsite on the network server 114 determines whether the account for thecard is valid. This determination may be made, for example, byconfirming that the card is owned by the person attempting to add it tohis or her Pocket Vault 102, that the card has not expired, etc.

When, at the step 3408, it is determined that information from theswiped card has been received prior to the expiration of the timeoutperiod, the routine 3314 proceeds to the step 3412 (discussed above),wherein a determination is made as the validity of the account basedupon the information read by the stripe reader 315.

When, at the step 3412, a determination is made that the account theuser has requested to be added to the Pocket Vault 102 is not valid, theroutine 3314 proceeds to a step 3414 wherein appropriate securityprecautions are taken.

After the step 3414, the routine 3314 terminates.

When, at the step 3412, a determination is made that the account theuser has requested to be added to the Pocket Vault 102 is valid, theroutine 3314 proceeds to a step 3416, wherein the information for thecard is downloaded from the website on the network server 114 to thePocket Vault 102 via the communication driver 2712.

After the step 3416, the routine 3314 proceeds to a step 3418, wherein amessage is displayed that indicates the card has been successfullyloaded onto the Pocket Vault 102 for use in future transactions.

After the step 3418, the routine 3314 terminates.

FIG. 35 is a flow diagram illustrating an example implementation of theSYNCHRONIZATION routine 3316 shown in FIG. 33.

As shown, the routine 3316 begins at a step 3502, wherein certainparameters required to synchronize the Pocket Vault 102 to the websiteon the network server 114 are determined based upon user preferences andthe ID of the Pocket Vault 102. For example, if a holder has two or morePocket Vaults 102, the holder may wish to elect one of them to be amaster for synchronization purposes, or the holder may even elect tohave the website act as the master. When a holder has more than onePocket Vault 102, the holder also may desire to be prompted to selecteither the current date or the date of the last synchronization as thebasis for the synchronization operation.

After the step 3502, the routine 3316 proceeds to a step 3504, whereinthe website on the network server 114 generates sets of current data totransfer to the Pocket Vault 102. The website may, for example, compareits current data to the data stored on the Pocket Vault 102 so as toidentify any data it needs to receive from the Pocket Vault 102 toproperly synchronize therewith.

After the step 3504, the routine 3316 proceeds to steps 3506 and 3508,wherein it is determined whether the Pocket Vault 102 has indicated thatit is ready to synchronize prior the expiration of a timeout period(measured by the step 3508). The Pocket Vault 102 may, for example, alsobe performing a similar comparison (e.g., using the synchronizationmodule 2808) between its data and the data stored on the website of thenetwork server to determine what data it needs to receive from thewebsite to properly synchronize therewith.

When at the step 3508, it is determined that the timeout period haselapsed before the Pocket Vault 102 had indicated its readiness tosynchronize, the routine 3316 proceeds to a step 3510, wherein a messageis generated indicating the attempt to synchronize the Pocket Vault 102with the website on the network server 114 has failed.

After the step 3510, the routine 3316 terminates.

When at the step 3506, it is determined that the Pocket Vault 102 hasindicated its readiness to synchronize with the website prior to theexpiration of the timeout period, the routine 3316 proceeds to a step3512, wherein accumulated synchronization data is transferred from thewebsite to the Pocket Vault 102, and vice versa, via the communicationdriver 2712.

After the step 3512, the routine 3316 proceeds to a step 3516, whereinthe date of the successful synchronization is stored in both the PocketVault 102 and the network server 114.

After the step 3516, the routine 3316 proceeds to a step 3518, wherein amessage is generated indicating that the Pocket Vault 102 has beensuccessfully synchronized with the website on the network server 114.

After the step 3518, the routine 3316 terminates.

FIG. 36 is a flow diagram illustrating an example implementation of theRECOVERY routine 3318 shown in FIG. 33.

As shown, the routine 3318 begins at a step 3602, wherein the website onthe network server 114 compiles all data necessary to recover the PocketVault 102 to its state as of the last time its contents weresynchronized with the website of the network server 114 (e.g., using theroutine 3316—described above) or backed up on the website of the networkserver 114 (e.g., using routine 3322—described below).

After the step 3602, the routine 3318 proceeds to step 3604, wherein thedata compile in the step 3602 is downloaded from the website on thenetwork server 114 to the Pocket Vault 102 via the communication driver2712, and a determination is made as to where that downloading hascompleted prior to the expiration of a timeout period measured at thestep 3606.

When, at the step 3606, it is determined that the timeout period elapsedprior to the downloading being completed, the routine 3318 proceeds to astep 3608, wherein a message is generated indicating that the attemptedrecovery was unsuccessful.

After the step 3606, the routine 3318 terminates.

When, at the step 3606, it is determined that the downloading wascompleted in a timely manner, the routine 3318 proceeds to a step 3610,wherein a message is generated indicating that the attempted recovery ofdata to the Pocket Vault 102 was successful.

After the step 3610, the routine 3318 terminates.

FIG. 37 is a flow diagram illustrating an example implementation of theIDENTITY PORTING SELECTION routine 3320 shown in FIG. 33.

As shown, the routine 3320 begins at a step 3702, wherein the internetsettings 2722 from the interface station computer 304 are downloadedfrom the interface station computer 304 to the website on the networkserver 114.

After the step 3702, the routine 3320 proceeds to a step 3704, whereinthe website on the network server 114 compiles and displays thedownloaded internet settings to the user via the browser on theinterface station computer 304. The settings may be displayed to theuser in any of a number of ways. Preferably, the settings are displayedin a manner that enables the user to readily distinguish between variousclasses of settings, and that permits the user to readily identify thepurpose of each type of setting. In some embodiments, only a subset ofthe all of the internet settings 2722 (e.g., only settings such ascookies and PKI certificates) are transferred to the website forpossible modification by the user.

After the step 3704, the routine 3320 proceeds to steps 3706 and 3708,wherein the user is given an opportunity to modify the displayedinternet settings. The user may, for example, elect to keep certaincookies that were retained among the internet settings 2722, whilechoosing to discard others.

When at the step 3708, the user has indicated that he or she hascompleted any modifications of the retrieved internet settings 2722, theroutine 3320 proceeds to a step 3710, wherein the modified internetsettings are downloaded from the website on the network server 114 tothe Pocket Vault 102 via the communication driver 2712.

After the step 3710, the routine 3320 terminates.

When at the step 3706, it is determined that the user did not elect tomodify any settings, the routine 3320 terminates.

FIG. 38 is a flow diagram illustrating an example implementation of theBACKUP routine 3322 shown in FIG. 33.

As shown, the routine 3322 begins at a step 3802, wherein the website onthe network server 114 transmits a request to the Pocket Vault 102 viathe communication driver 2712, asking the Pocket Vault 102 to send thewebsite backup data. This backup data may, for example, constitute alldata necessary to place the Pocket Vault 102 back into its present stateif any portion of data on the Pocket Vault 102 was lost, or to place anew Pocket Vault 102 into the same state as the backed up Pocket Vault102 (e.g., using the RECOVERY routine 3318—discussed above).

After the step 3802, the routine 3322 proceeds to steps 3804-3806,wherein it is determined whether the requested backup data has beensuccessfully transferred from the Pocket Vault 102 to the website on thenetwork server 114 before the expiration of a timeout period (measuredby the step 3806).

When, at the step 3806, it is determined that the timeout period elapsedprior to the backup data being successfully transferred, the routine3322 proceeds to a step 3808, wherein a message is displayed (e.g., viathe browser on the interface station computer 304) informing the userthat a communication error has occurred and that the backup operationwas unsuccessful.

After the step 3808, the routine 3322 terminates.

When, at the step 3804, the routine 3322 determined that, before thetimeout period, the backup data has been successfully transferred fromthe Pocket Vault 102 to the website on the network server 114 via thecommunication driver 2712, the routine 3322 proceeds to a step 3810,wherein the received backup data is stored by the network server 114,e.g., for use in connection with the RECOVERY routine 3318.

After the step 3310, the routine 3322 proceeds to a step 3812, wherein amessage is displayed (e.g., via the browser on the interface stationcomputer 304) informing the user that the backup operation wassuccessfully completed.

After the step 3312, the routine 3322 terminates.

FIG. 39 is a flow diagram illustrating an example implementation of theSET PREFERENCES routine 3324 shown in FIG. 33. The SET PREFERENCESroutine 3324 permits the holder to set or alter preferences on his orher Pocket Vault 102 using a browser on the interface station computer104.

As shown, the routine 3324 begins at a step 3902, wherein the website onthe network server 114 transmits a request to the Pocket Vault 102 viathe communication driver 2712, requesting the Pocket Vault 102 totransmit all “preferences” information stored on the Pocket Vault 102 tothe website on the network server 114 via the communication driver 2712.This information may, for example, comprise definitions of home pages,connection of secure and non-secure media, order of media presentment,sort orders, user interface options, synchronization defaults, etc.

After the step 3902, the routine 3324 proceeds to steps 3904 and 3906,wherein it is determined whether the preferences information has beenreceived from the Pocket Vault 102 prior to the expiration of a timeoutperiod (measured by the step 3906).

When, at the step 3906, it is determined that the timeout period elapsedbefore the preferences information was transferred from the Pocket Vault102 to the website, the routine 3324 proceeds to a step 3908, wherein amessage is displayed (e.g., on the browser) indicating that acommunication error has occurred.

After the step 3908, the routine 3324 terminates.

When, at the step 3904, it is determined that the preferencesinformation has been successfully transferred from the Pocket Vault 102to the website on the network server 114, the routine 3324 proceeds to astep 3910, wherein the website compiles and displays the currentpreference settings for the Pocket Vault 102 (e.g., on the browser) in auser friendly manner.

After the step 3910, the routine 3324 proceeds to steps 3912 and 3914,wherein the user is given an opportunity to modify the displayedpreference settings.

When, at the step 3912, the user opts not to modify any of the displayedsettings, the routine 3324 terminates.

When, at the steps 3912 and 3914, the user opts to modify the displayedsettings and indicates that he or she has completed modificationthereof, the routine 3324 proceeds to a step 3916, wherein the modifiedpreference settings are downloaded from the website on the networkserver 114 to the Pocket Vault 102 via the communication driver 2712.

After the step 3918, a message is displayed (e.g., via the browser onthe interface station computer 304) informing the user that thepreference settings for the Pocket Vault 102 were successfully modified.

After the step 3918, the routine 3324 terminates.

FIG. 40 is a flow diagram illustrating an example implementation of theRFID TAG LOADING routine 3315 shown in FIG. 33.

As shown, the routine 3315 begins at a step 4002, wherein the user mayuse the website on the network server 114 to create an account for theRFID tag to be loaded onto the Pocket Vault 102.

After the step 4002, the routine proceeds to a step 4004, wherein thewebsite on the network server 114 determines whether the account for theRFID tag is valid, for example, by checking with the media that issuedthe RFID tag account.

When, at the step 4004, it is determined that the account for the RFIDtag is not valid, the routine 3315 proceeds to a step 4010, whereinappropriate security precautions are taken.

After the step 4010, the routine 3315 terminates.

When, at the step 4004, a determination is made that the account for theRFID tag is valid, the routine 3315 proceeds to a step 4006, wherein theinformation for the RFID tag is downloaded from the website on thenetwork server 114 to the Pocket Vault 102 via the communication driver2712.

After the step 4006, the routine 3315 proceeds to a step 4008, wherein amessage is displayed that indicates the RFID tag information has beensuccessfully loaded onto the Pocket Vault 102 for use in futuretransactions.

After the step 4008, the routine 3315 terminates.

One illustrative example of an application of the network systemdescribed herein is in the distribution of building access key cards andsimilar limited-use, time-sensitive media to individual operators. Thefollowing typical scenario involves distribution of hotel room key cardsto hotel guests who make room reservations over the Internet. Using ahotel's secure web site, the prospective guest, who is also a PocketVault holder, may secure a room for a specific time period by providinga credit card number. This step may or may not involve use of a creditcard stored on the Pocket Vault 102. If it does involve use of a PocketVault credit card, this card may, for example, be accessed while thePocket Vault 102 is interfaced with the holder's personal interfacestation 104 b. Next, the prospective hotel guest may link to the networkserver 114 (while staying within the hotel's website), and followon-screen instructions for downloading the key card for his/her roomonto the Pocket Vault 102 (e.g., to ensure that the Pocket Vault 102 isinterfaced with the pocket vault interface unit 302, and to ensure thatthe Pocket Vault holder has activated the Pocket Vault 102 by theappropriate security mechanism such as a thumbprint for bio-metric IDverification). After downloading is complete, the display 216 of thePocket Vault 102 may include an icon for the hotel room key (e.g., thehotel's logo), along with the icons for media previously loaded. Whenthe room key card icon is selected, the Pocket Vault 102 may encode theChameleon Card with the magnetic stripe coding to unlock the guest'shotel room.

After the time period of the guest's room reservation has expired, thePocket Vault 102 may automatically delete the room key icon. Thisdeletion may occur for the convenience of the Pocket Vault holder, notnecessarily for hotel security reasons, since the room's lock willreject any previously-used key card (Chameleon or traditional key card)after the key card's specified time period has expired.

Having thus described at least one illustrative embodiment of theinvention, various alterations, modifications and improvements willreadily occur to those skilled in the art. Such alterations,modifications and improvements are intended to be within the spirit andscope of the invention. Accordingly, the foregoing description is by wayof example only and is not intended as limiting. The invention islimited only as defined in the following claims and the equivalentsthereto.

1. An apparatus, comprising: a user authenticator that authenticates anidentity of a user; and a transponder that is permitted to emit awireless signal representing information stored in the apparatus inresponse to a wireless interrogation signal after the user authenticatorhas authenticated the identity of the user.
 2. The apparatus of claim 1,wherein the wireless signal representing the information and thewireless interrogation signal are radio frequency signals.
 3. Theapparatus of claim 1, wherein the apparatus further comprises a memorythat stores at least first and second distinct codes, and a user inputthat permits the user to select any one of the at least first and secondcodes for transmission in response to an interrogation signal; andwherein the transponder is permitted to emit a wireless signalrepresenting the selected one of the at least first and second codes inresponse to an interrogation signal.
 4. The apparatus of claim 3,further comprising a display that identifies the one of the at leastfirst and second codes the user has selected.
 5. The apparatus of claim3, wherein the first and second codes correspond to accounts the userholds with respective first and second unrelated media issuers.
 6. Theapparatus of claim 1, in combination with an interrogator thatwirelessly emits the interrogation signal, and receives from theapparatus the wireless signal representing the information.
 7. A methodfor using an apparatus, comprising steps of: using the apparatus toauthenticate an identity of a user of the apparatus; and after theapparatus has authenticated the identity of the user, enabling atransponder of the apparatus to emit a wireless signal representinginformation stored in the apparatus in response to a wirelessinterrogation signal.
 8. The method of claim 7, wherein the wirelesssignal representing the information and the wireless interrogationsignal are radio frequency signals.
 9. The method of claim 7, whereinthe method further comprises steps of: manipulating a user input on theapparatus to select one of at least first and second codes stored inmemory; and permitting the transponder to emit a wireless signalrepresenting the selected one of the first and second codes in responseto the interrogation signal.
 10. The method of claim 9, wherein themethod further comprises steps of: manipulating the user input on theapparatus to select the other of the first and second codes stored inmemory; and permitting the transponder to emit a wireless signalrepresenting the other of the first and second codes in response to theinterrogation signal.
 11. The method of claim 10, further comprising astep of: in response to the user manipulating the user input, displayingto the user an identification of the one of the first and second codesthe user has selected.
 12. The method of claim 10, wherein the first andsecond codes correspond to accounts the user holds with respective firstand second unrelated media issuers.
 13. The method of claim 7, furthercomprising steps of: wirelessly emitting an interrogation signal from aninterrogator; receiving the interrogation signal at the transponder; inresponse to receiving the interrogation signal, emitting from thetransponder a wireless signal representing the information; andreceiving at the interrogator the wireless signal representing theinformation.
 14. The method of claim 13, further comprising a step ofauthorizing a transaction based upon the information received at theinterrogator.